[Distutils] PEP470 installation security problems
Nick Coghlan
ncoghlan at gmail.com
Wed Oct 8 12:32:33 CEST 2014
On 8 October 2014 20:06, holger krekel <holger at merlinux.eu> wrote:
> Given that PyPI is a wiki and Linux Distros are a curated index, i
> insist it's dangerous to recommend to mix multiple indexes with pip if
> you don't know quite exactly what you are doing. Do you really disagree
> on this?
Hence this line in the PEP:
End users wishing to limit what files they pull from which
repository can simply use devpi to whitelist projects from PyPI or
another repository.
Anyone running a private PyPI mirror without disabling the use of
upstream indexes entirely is already running their infrastructure in a
dangerously insecure configuration. That has nothing to do with PEP
470.
Regards,
Nick.
--
Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia
More information about the Distutils-SIG
mailing list