[Catalog-sig] pre-PEP: transition to release-file hosting at pypi site

Tres Seaver tseaver at palladion.com
Wed Mar 13 17:54:04 CET 2013

Hash: SHA1

On 03/12/2013 03:57 PM, holger krekel wrote:
> Nobody should be lead to think that PYPI is a trusted or reviewed
> source of software even if we got rid of external hosting completely.

Amen.  I still boggle at the amount of "sky is falling" stuff here over
MITM / external links / whatever, given the potential damaage from
explicitly malicious uploads (trojans, viruses, whatever).  Package
signing might help here, but only for consumers who willing to think hard
enough about the problem to manage a web of trust (frankly, a vanishingly
small minority).

And then there are these problems:

- - Backward-imcompatible releases (even those which make appropriate
  signals in their version numbers).

- - Removal of distributions / releases / projects.

- - Re-upload of new distributions which sliently replace previous
  distributions *of the same release* ("Yes, Virginia, there are
  people out there who do this").

which are deal-killers for the folks who want always-on, reliable,
repeatable, automatic installation from PyPI (instead of creating their
own indexes).

Adding HTTPS or removing external links does nothing to mitigate those

- -- 
Tres Seaver          +1 540-429-0999          tseaver at palladion.com
Palladion Software   "Excellence by Design"    http://palladion.com
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/


More information about the Catalog-SIG mailing list