[Distutils] PEP470 installation security problems

Donald Stufft donald at stufft.io
Wed Oct 8 13:07:15 CEST 2014

> On Oct 8, 2014, at 7:03 AM, Paul Moore <p.f.moore at gmail.com> wrote:
> On 8 October 2014 11:33, holger krekel <holger at merlinux.eu> wrote:
>>> The use of --extra-index-url in
>>> PEP 470 is to show how someone would add one of the extra repositories for a
>>> project that is indexed on PyPI, which is again roughly as safe as installing
>>> from PyPI at all.
>> Then we are reading the sections i cite above very differently -- IMO
>> you and the PEP generally push for multi-index ops without explaining
>> the risks.
>> Maybe someone else can chime in.
> Chiming in because you asked for other opinions, although I've not yet
> read to the end of the thread...
> I read this section, and indeed the whole of the PEP, as basically saying:
> 1. We have a problem because PEP 438 didn't turn out so well in practice.
> 2. We have an existing mechanism (multi-index support).
> 3. The existing mechanism can be used as follows to better solve the
> problem PEP 438 tried to solve.
> I don't see any "encouragement" to use multi-index support, other than
> in the specific case PEP 438 was aimed at. Obviously PEP 470 raises
> the profile of multi-index support, which might cause people to use it
> ill-advisedly in inappropriate situations, but that's not the fault of
> PEP 470, and I don't want to see PEP 470 filled with warnings about
> how *other* uses of multi-index support might be inappropriate,
> because that will distract from the core message that is "we can fix
> the external hosting issue without needing clients to add a new
> mechanism".
> Paul

This is more or less exactly what I intend (and what I think it does) the
PEP to say.

Donald Stufft
PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

More information about the Distutils-SIG mailing list