[Catalog-sig] pre-PEP: transition to release-file hosting at pypi site

M.-A. Lemburg mal at egenix.com
Tue Mar 12 17:41:31 CET 2013 

On 12.03.2013 17:29, Jacob Kaplan-Moss wrote:
> On Tue, Mar 12, 2013 at 11:19 AM, M.-A. Lemburg <mal at egenix.com> wrote:
>> So let's do this carefully and find a good solution before
>> jumping to conclusions.
> 
> Completely agreed; rushing is a bad idea.
> 
> But so is not starting. What I'm seeing — as a total outsider, a user
> of these tools, not someone who creates them — is that a bunch of
> people (Holger, Donald, Richard, the pip maintainers, etc.) have the
> beginnings of a solution ready to go *right now*, and I want to
> capture that energy and enthusiasm before it evaporates.
> 
> This isn't an academic situation; I've seen companies decline to adopt
> Python over this exact security issue. I can't share details in
> writing but ask me at PyCon and I can tell you some stories.
> Externally-hosted packages are a security risk, full stop.
> 
> There's likely a even better solution involving strong cryptography
> and such, but there's also an incremental improvement on the table
> right now. Nobody's suggesting that we do this hastily or all at once,
> but there *is* a proposal to get the process started right now. Why
> shouldn't we get going while there's momentum?

Sure; I'm just saying that we need to test drive the proposal
before actually adopting it.

I'm also trying to get some of the more radical unneeded changes
reconsidered. We don't need to break things just because we can -
let's leave that to our kids ;-)

Holger has already addressed much of this in his V2 proposal
and apart from the time frame and some details, it looks good.

Meanwhile, I've been playing around with the earlier proposal
I put forward:

http://wiki.python.org/moin/PyPI/DownloadMetaDataProposal

to secure external links and found several issues while
implementing it. It's easy to draw up a design, but you
only get down to the problems when actually trying to
implement it.

-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source  (#1, Mar 12 2013)
>>> Python Projects, Consulting and Support ...   http://www.egenix.com/
>>> mxODBC.Zope/Plone.Database.Adapter ...       http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
________________________________________________________________________

::::: Try our mxODBC.Connect Python Database Interface for free ! ::::::

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611
               http://www.egenix.com/company/contact/

More information about the Catalog-SIG mailing list