[Catalog-sig] pre-PEP: transition to release-file hosting at pypi site

Jacob Kaplan-Moss jacob at jacobian.org
Tue Mar 12 17:29:45 CET 2013

On Tue, Mar 12, 2013 at 11:19 AM, M.-A. Lemburg <mal at egenix.com> wrote:
> So let's do this carefully and find a good solution before
> jumping to conclusions.

Completely agreed; rushing is a bad idea.

But so is not starting. What I'm seeing — as a total outsider, a user
of these tools, not someone who creates them — is that a bunch of
people (Holger, Donald, Richard, the pip maintainers, etc.) have the
beginnings of a solution ready to go *right now*, and I want to
capture that energy and enthusiasm before it evaporates.

This isn't an academic situation; I've seen companies decline to adopt
Python over this exact security issue. I can't share details in
writing but ask me at PyCon and I can tell you some stories.
Externally-hosted packages are a security risk, full stop.

There's likely a even better solution involving strong cryptography
and such, but there's also an incremental improvement on the table
right now. Nobody's suggesting that we do this hastily or all at once,
but there *is* a proposal to get the process started right now. Why
shouldn't we get going while there's momentum?


More information about the Catalog-SIG mailing list