[Distutils] PEP470 installation security problems

holger krekel holger at merlinux.eu
Wed Oct 8 14:43:55 CEST 2014

On Wed, Oct 08, 2014 at 22:18 +1000, Nick Coghlan wrote:
> On 8 October 2014 21:40, holger krekel <holger at merlinux.eu> wrote:
> >
> > No, i am not concerned about the extra index supplying whatever packages.
> > After all, the users specifies the option and should trust that index.
> >
> > I am concerned about the fact that public PyPI links are merged in even
> > for my private packages residing on the extra index.
> That's what a default repository *does*. It's always on, unless you
> explicitly turn it off. Hence the name *extra index*. The index URL
> option is the one to use if you want to *replace* the index.

Nick, i don't know why you are saying this.  Do you think i don't know this?

My point is that PyPI makes for a very different default repository than the
Debian or Redhat one.  Or do you disagree there?


More information about the Distutils-SIG mailing list