[Distutils] PEP470 installation security problems

Nick Coghlan ncoghlan at gmail.com
Wed Oct 8 14:24:31 CEST 2014

On 8 October 2014 22:17, holger krekel <holger at merlinux.eu> wrote:
> On Wed, Oct 08, 2014 at 13:05 +0100, Paul Moore wrote:
>> On 8 October 2014 12:40, holger krekel <holger at merlinux.eu> wrote:
>> > I am concerned about the fact that public PyPI links are merged in even
>> > for my private packages residing on the extra index.
>> Bluntly, that's irrelevant.
> I disagree.  The PEP uses merging of public and private links in
> the main rationale section which comes before discussing migration
> strategies.  It's used as motivation aka "look how easy it is
> to use additional/multi indexes" and not as a particular migration
> strategy that shouldn't be used otherwise.

OK, I think I understand your concern now - the PEP includes an
example of a practice that you don't like and would prefer to see
strongly discouraged.

We can just delete all references to private indexes from the PEP, as
they were merely included as an illustration of one of the reasons the
multi-index/alternative-index support already exists. If you find the
example distracting from the actual point of the PEP, then the example
isn't serving its purpose, and we're better off without it.


Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia

More information about the Distutils-SIG mailing list