[Distutils] PEP470 installation security problems
holger at merlinux.eu
Wed Oct 8 14:43:55 CEST 2014
On Wed, Oct 08, 2014 at 22:18 +1000, Nick Coghlan wrote:
> On 8 October 2014 21:40, holger krekel <holger at merlinux.eu> wrote:
> > No, i am not concerned about the extra index supplying whatever packages.
> > After all, the users specifies the option and should trust that index.
> > I am concerned about the fact that public PyPI links are merged in even
> > for my private packages residing on the extra index.
> That's what a default repository *does*. It's always on, unless you
> explicitly turn it off. Hence the name *extra index*. The index URL
> option is the one to use if you want to *replace* the index.
Nick, i don't know why you are saying this. Do you think i don't know this?
My point is that PyPI makes for a very different default repository than the
Debian or Redhat one. Or do you disagree there?
More information about the Distutils-SIG