[Distutils] PEP470 installation security problems

Nick Coghlan ncoghlan at gmail.com
Wed Oct 8 12:32:33 CEST 2014

On 8 October 2014 20:06, holger krekel <holger at merlinux.eu> wrote:
> Given that PyPI is a wiki and Linux Distros are a curated index, i
> insist it's dangerous to recommend to mix multiple indexes with pip if
> you don't know quite exactly what you are doing.  Do you really disagree
> on this?

Hence this line in the PEP:

    End users wishing to limit what files they pull from which
repository can simply use devpi to whitelist projects from PyPI or
another repository.

Anyone running a private PyPI mirror without disabling the use of
upstream indexes entirely is already running their infrastructure in a
dangerously insecure configuration. That has nothing to do with PEP


Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia

More information about the Distutils-SIG mailing list