[Distutils] PEP470 installation security problems
Nick Coghlan
ncoghlan at gmail.com
Wed Oct 8 14:18:35 CEST 2014
On 8 October 2014 21:40, holger krekel <holger at merlinux.eu> wrote:
>
> No, i am not concerned about the extra index supplying whatever packages.
> After all, the users specifies the option and should trust that index.
>
> I am concerned about the fact that public PyPI links are merged in even
> for my private packages residing on the extra index.
That's what a default repository *does*. It's always on, unless you
explicitly turn it off. Hence the name *extra index*. The index URL
option is the one to use if you want to *replace* the index.
Regards,
Nick.
--
Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia
More information about the Distutils-SIG
mailing list