[Distutils] PEP470 installation security problems

Donald Stufft donald at stufft.io
Wed Oct 8 14:37:31 CEST 2014

> On Oct 8, 2014, at 8:24 AM, Nick Coghlan <ncoghlan at gmail.com> wrote:
> On 8 October 2014 22:17, holger krekel <holger at merlinux.eu> wrote:
>> On Wed, Oct 08, 2014 at 13:05 +0100, Paul Moore wrote:
>>> On 8 October 2014 12:40, holger krekel <holger at merlinux.eu> wrote:
>>>> I am concerned about the fact that public PyPI links are merged in even
>>>> for my private packages residing on the extra index.
>>> Bluntly, that's irrelevant.
>> I disagree.  The PEP uses merging of public and private links in
>> the main rationale section which comes before discussing migration
>> strategies.  It's used as motivation aka "look how easy it is
>> to use additional/multi indexes" and not as a particular migration
>> strategy that shouldn't be used otherwise.
> OK, I think I understand your concern now - the PEP includes an
> example of a practice that you don't like and would prefer to see
> strongly discouraged.

Does it? The only examples in the PEP are showing:

A) How can I, as an author of a project who wishes to use this new
   mechanism do so for my project.
B) How can I, as a user of a project who is using this new mechanism
   tell pip to add this additional *public* repository so that I can
   install it since they don’t host on PyPI.

> We can just delete all references to private indexes from the PEP, as
> they were merely included as an illustration of one of the reasons the
> multi-index/alternative-index support already exists. If you find the
> example distracting from the actual point of the PEP, then the example
> isn't serving its purpose, and we're better off without it.

There is really only one mention in the entire PEP that I can remember or
find in a quick re-skim. That is in:

"Additionally, the multiple repository approach is a concept that is useful
outside of the narrow scope of allowing projects which wish to be included on
the index portion of PyPI but do not wish to utilize the repository portion of
PyPI. This includes places where a company may wish to host a repository that
contains their internal packages or where a project may wish to have multiple
"channels" of releases, such as alpha, beta, release candidate, and final

Which is just saying “hey this concept of pip works with repositories, not PyPI,
PyPI just happens to be the default repository” not only already exists, but is
useful in more situations and one of those situations is internal company

I can remove the half a dozen total words that constitute the only reference
in the PEP to a private anything, but I’m still confused how this somehow
correlates to the PEP is advocating everyone switch to using —extra-index-url
for their private repositories when in reality the PEP is giving and example
of what someone would need to do, as pip currently stands, to utilize a project
that uses this feature.

Donald Stufft
PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

More information about the Distutils-SIG mailing list