[Distutils] PEP470 installation security problems

Paul Moore p.f.moore at gmail.com
Wed Oct 8 13:03:49 CEST 2014

On 8 October 2014 11:33, holger krekel <holger at merlinux.eu> wrote:
>> The use of --extra-index-url in
>> PEP 470 is to show how someone would add one of the extra repositories for a
>> project that is indexed on PyPI, which is again roughly as safe as installing
>> from PyPI at all.
> Then we are reading the sections i cite above very differently -- IMO
> you and the PEP generally push for multi-index ops without explaining
> the risks.
> Maybe someone else can chime in.

Chiming in because you asked for other opinions, although I've not yet
read to the end of the thread...

I read this section, and indeed the whole of the PEP, as basically saying:

1. We have a problem because PEP 438 didn't turn out so well in practice.
2. We have an existing mechanism (multi-index support).
3. The existing mechanism can be used as follows to better solve the
problem PEP 438 tried to solve.

I don't see any "encouragement" to use multi-index support, other than
in the specific case PEP 438 was aimed at. Obviously PEP 470 raises
the profile of multi-index support, which might cause people to use it
ill-advisedly in inappropriate situations, but that's not the fault of
PEP 470, and I don't want to see PEP 470 filled with warnings about
how *other* uses of multi-index support might be inappropriate,
because that will distract from the core message that is "we can fix
the external hosting issue without needing clients to add a new


More information about the Distutils-SIG mailing list