[Catalog-sig] pre-PEP: transition to release-file hosting at pypi site
Tres Seaver
tseaver at palladion.com
Wed Mar 13 17:54:04 CET 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/12/2013 03:57 PM, holger krekel wrote:
> Nobody should be lead to think that PYPI is a trusted or reviewed
> source of software even if we got rid of external hosting completely.
Amen. I still boggle at the amount of "sky is falling" stuff here over
MITM / external links / whatever, given the potential damaage from
explicitly malicious uploads (trojans, viruses, whatever). Package
signing might help here, but only for consumers who willing to think hard
enough about the problem to manage a web of trust (frankly, a vanishingly
small minority).
And then there are these problems:
- - Backward-imcompatible releases (even those which make appropriate
signals in their version numbers).
- - Removal of distributions / releases / projects.
- - Re-upload of new distributions which sliently replace previous
distributions *of the same release* ("Yes, Virginia, there are
people out there who do this").
which are deal-killers for the folks who want always-on, reliable,
repeatable, automatic installation from PyPI (instead of creating their
own indexes).
Adding HTTPS or removing external links does nothing to mitigate those
issues.
Tres.
- --
===================================================================
Tres Seaver +1 540-429-0999 tseaver at palladion.com
Palladion Software "Excellence by Design" http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iEYEARECAAYFAlFArywACgkQ+gerLs4ltQ7zLACgluGTMdUYheeMGoFgAUH1VZja
VJYAnjBPXbs8yeQ1FYa0mNZhAkTlcJQf
=8KSF
-----END PGP SIGNATURE-----
More information about the Catalog-SIG
mailing list