[Distutils] PEP470 installation security problems

Nick Coghlan ncoghlan at gmail.com
Wed Oct 8 12:44:19 CEST 2014

On 8 October 2014 20:33, holger krekel <holger at merlinux.eu> wrote:
> Then we are reading the sections i cite above very differently -- IMO
> you and the PEP generally push for multi-index ops without explaining
> the risks.

Note that this explanation is present in the PEP:

    Currently both pip and setuptools implement multiple repository
support by using the best installation candidate it can find from
either repository, essentially treating it as if it were one large

Is it mainly that you would like the consequences of that in terms of
any listed index being able to provide any requested package to be
spelled out more clearly?


Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia

More information about the Distutils-SIG mailing list