[Distutils] PEP470 installation security problems

Nick Coghlan ncoghlan at gmail.com
Wed Oct 8 14:18:35 CEST 2014

On 8 October 2014 21:40, holger krekel <holger at merlinux.eu> wrote:
> No, i am not concerned about the extra index supplying whatever packages.
> After all, the users specifies the option and should trust that index.
> I am concerned about the fact that public PyPI links are merged in even
> for my private packages residing on the extra index.

That's what a default repository *does*. It's always on, unless you
explicitly turn it off. Hence the name *extra index*. The index URL
option is the one to use if you want to *replace* the index.


Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia

More information about the Distutils-SIG mailing list