[Catalog-sig] pre-PEP: transition to release-file hosting at pypi site

Robert Collins robertc at robertcollins.net
Wed Mar 13 18:41:33 CET 2013

On 14 March 2013 05:54, Tres Seaver <tseaver at palladion.com> wrote:
> Hash: SHA1
> On 03/12/2013 03:57 PM, holger krekel wrote:
>> Nobody should be lead to think that PYPI is a trusted or reviewed
>> source of software even if we got rid of external hosting completely.
> Amen.  I still boggle at the amount of "sky is falling" stuff here over
> MITM / external links / whatever, given the potential damaage from
> explicitly malicious uploads (trojans, viruses, whatever).  Package
> signing might help here, but only for consumers who willing to think hard
> enough about the problem to manage a web of trust (frankly, a vanishingly
> small minority).

Well yes HTTPS and external links are problems which it is necessary
to solve, and not sufficient to make 'pypi secure' - but that doesn't
mean we should do a poor job solving them.

Robert Collins <rbtcollins at hp.com>
Distinguished Technologist
HP Cloud Services

More information about the Catalog-SIG mailing list