[Distutils] PEP470 installation security problems

Paul Moore p.f.moore at gmail.com
Wed Oct 8 14:05:08 CEST 2014

On 8 October 2014 12:40, holger krekel <holger at merlinux.eu> wrote:
> I am concerned about the fact that public PyPI links are merged in even
> for my private packages residing on the extra index.

Bluntly, that's irrelevant.

That's how pip works. Maybe it's not the best way, maybe a feature
request for pip would be worth pursuing, maybe you could even argue
that it's a security issue with pip. But it's not relevant to this
PEP, which simply says that "for this *specific" problem, multi-index
support is a viable solution". Asking for a change in behaviour from
pip in this specific case is not what the PEP is about. Actually,
pip's behaviour in general is not subject to the PEP process (as
Donald pointed out, trying to make it be is what got PEP 438 in


More information about the Distutils-SIG mailing list