[Distutils] PEP470 installation security problems

Donald Stufft donald at stufft.io
Wed Oct 8 14:47:05 CEST 2014


> On Oct 8, 2014, at 8:43 AM, holger krekel <holger at merlinux.eu> wrote:
> 
> On Wed, Oct 08, 2014 at 22:18 +1000, Nick Coghlan wrote:
>> On 8 October 2014 21:40, holger krekel <holger at merlinux.eu> wrote:
>>> 
>>> No, i am not concerned about the extra index supplying whatever packages.
>>> After all, the users specifies the option and should trust that index.
>>> 
>>> I am concerned about the fact that public PyPI links are merged in even
>>> for my private packages residing on the extra index.
>> 
>> That's what a default repository *does*. It's always on, unless you
>> explicitly turn it off. Hence the name *extra index*. The index URL
>> option is the one to use if you want to *replace* the index.
> 
> Nick, i don't know why you are saying this.  Do you think i don't know this?
> 
> My point is that PyPI makes for a very different default repository than the
> Debian or Redhat one.  Or do you disagree there?

If you understand that, then your statements in here don’t make any sense to me.
What is it you’re trying to achieve exactly? Do you think the PEP should be
rejected? Do you think it needs amended? You’re saying things that I can’t reconcile
how they relate to the PEP (and I’m apparently not the only one) nor can I convert
them into actionable feedback.

---
Donald Stufft
PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA



More information about the Distutils-SIG mailing list