[Distutils] PEP470 installation security problems
holger krekel
holger at merlinux.eu
Wed Oct 8 14:59:36 CEST 2014
On Wed, Oct 08, 2014 at 08:47 -0400, Donald Stufft wrote:
> > On Oct 8, 2014, at 8:43 AM, holger krekel <holger at merlinux.eu> wrote:
> >
> > On Wed, Oct 08, 2014 at 22:18 +1000, Nick Coghlan wrote:
> >> On 8 October 2014 21:40, holger krekel <holger at merlinux.eu> wrote:
> >>>
> >>> No, i am not concerned about the extra index supplying whatever packages.
> >>> After all, the users specifies the option and should trust that index.
> >>>
> >>> I am concerned about the fact that public PyPI links are merged in even
> >>> for my private packages residing on the extra index.
> >>
> >> That's what a default repository *does*. It's always on, unless you
> >> explicitly turn it off. Hence the name *extra index*. The index URL
> >> option is the one to use if you want to *replace* the index.
> >
> > Nick, i don't know why you are saying this. Do you think i don't know this?
> >
> > My point is that PyPI makes for a very different default repository than the
> > Debian or Redhat one. Or do you disagree there?
>
> If you understand that, then your statements in here don’t make any sense to me.
>
> What is it you’re trying to achieve exactly? Do you think the PEP should be
> rejected? Do you think it needs amended? You’re saying things that I can’t reconcile
> how they relate to the PEP (and I’m apparently not the only one) nor can I convert
> them into actionable feedback.
Sorry that it's so unclear to you, Nick and Paul. I tried my best.
And i tried to make suggestions what to change, what to avoid, what
kind of options pip would need to become safer etc.. That was all meant
as useful feedback to get a better PEP and end result.
But if you and Nick as authors refuse my suggestions (mainly:
backward compat, more careful reasoning about multi-index ops) then i am
currently clearly -1 on the PEP because i think it does more harm than good.
And i'll let it all rest at that for a bit because i don't want to
spend more time on it right now.
best,
holger
More information about the Distutils-SIG
mailing list