[Catalog-sig] pre-PEP: transition to release-file hosting at pypi site

[Jacob Kaplan-Moss]

On Tue, Mar 12, 2013 at 10:38 AM, PJ Eby <pje at telecommunity.com> wrote:
> I'll ask it again: why should *thousands* of projects be censored or
> made to change their release processes, because *you* can't be
> bothered to cache the distributions of the projects you depend on?

Because externally-hosted files are a security risk, one that most
users don't realize exists.

We can either fix this problem now, or we can wait until someone is
compromised using PyPI as a vector.

Jacob