[Distutils] PEP470 installation security problems

holger krekel holger at merlinux.eu
Wed Oct 8 14:59:36 CEST 2014 

On Wed, Oct 08, 2014 at 08:47 -0400, Donald Stufft wrote:
> > On Oct 8, 2014, at 8:43 AM, holger krekel <holger at merlinux.eu> wrote:
> > 
> > On Wed, Oct 08, 2014 at 22:18 +1000, Nick Coghlan wrote:
> >> On 8 October 2014 21:40, holger krekel <holger at merlinux.eu> wrote:
> >>> 
> >>> No, i am not concerned about the extra index supplying whatever packages.
> >>> After all, the users specifies the option and should trust that index.
> >>> 
> >>> I am concerned about the fact that public PyPI links are merged in even
> >>> for my private packages residing on the extra index.
> >> 
> >> That's what a default repository *does*. It's always on, unless you
> >> explicitly turn it off. Hence the name *extra index*. The index URL
> >> option is the one to use if you want to *replace* the index.
> > 
> > Nick, i don't know why you are saying this.  Do you think i don't know this?
> > 
> > My point is that PyPI makes for a very different default repository than the
> > Debian or Redhat one.  Or do you disagree there?
> 
> If you understand that, then your statements in here don’t make any sense to me.
>
> What is it you’re trying to achieve exactly? Do you think the PEP should be
> rejected? Do you think it needs amended? You’re saying things that I can’t reconcile
> how they relate to the PEP (and I’m apparently not the only one) nor can I convert
> them into actionable feedback.

Sorry that it's so unclear to you, Nick and Paul.  I tried my best.
And i tried to make suggestions what to change, what to avoid, what
kind of options pip would need to become safer etc..  That was all meant
as useful feedback to get a better PEP and end result.

But if you and Nick as authors refuse my suggestions (mainly:
backward compat, more careful reasoning about multi-index ops) then i am
currently clearly -1 on the PEP because i think it does more harm than good.

And i'll let it all rest at that for a bit because i don't want to
spend more time on it right now.

best,
holger

More information about the Distutils-SIG mailing list