[Distutils] PEP 470 discussion, part 3
Donald Stufft
donald at stufft.io
Thu Jul 24 17:26:08 CEST 2014
On July 24, 2014 at 6:40:47 AM, Vladimir Diaz (vladimir.v.diaz at gmail.com) wrote:
In metadata 2.0 even with package signing you end up where I can have you install “django-foobar” which depends on “FakeDjango”, which provides “Django”, and then for all intents and purposes you have a “Django” package installed.
Can you go into more detail? Particularly, the part where "FakeDjango" provides Django.
Richard Jones mentions the case where an external index provides an "updated release" and tricks the updater into installing a compromised "Django." Is this the same thing?
No it’s not the same thing. Metadata 2.0 provides mechanisms for one package to claim to be another package. This only takes affect once that package has been installed though. This functionality allows things like a package to provide a compatible shim that uses different internal guts, or for one package to obsolete another or even for multiple packages to “provide” the same thing and allow the user to select which one they want to use at install time.
--
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20140724/c3cc2f47/attachment-0001.html>
More information about the Distutils-SIG
mailing list