[Distutils] PEP470 installation security problems

Donald Stufft donald at stufft.io
Wed Oct 8 15:13:59 CEST 2014

> On Oct 8, 2014, at 8:59 AM, holger krekel <holger at merlinux.eu> wrote:
> On Wed, Oct 08, 2014 at 08:47 -0400, Donald Stufft wrote:
>>> On Oct 8, 2014, at 8:43 AM, holger krekel <holger at merlinux.eu> wrote:
>>> On Wed, Oct 08, 2014 at 22:18 +1000, Nick Coghlan wrote:
>>>> On 8 October 2014 21:40, holger krekel <holger at merlinux.eu> wrote:
>>>>> No, i am not concerned about the extra index supplying whatever packages.
>>>>> After all, the users specifies the option and should trust that index.
>>>>> I am concerned about the fact that public PyPI links are merged in even
>>>>> for my private packages residing on the extra index.
>>>> That's what a default repository *does*. It's always on, unless you
>>>> explicitly turn it off. Hence the name *extra index*. The index URL
>>>> option is the one to use if you want to *replace* the index.
>>> Nick, i don't know why you are saying this.  Do you think i don't know this?
>>> My point is that PyPI makes for a very different default repository than the
>>> Debian or Redhat one.  Or do you disagree there?
>> If you understand that, then your statements in here don’t make any sense to me.
>> What is it you’re trying to achieve exactly? Do you think the PEP should be
>> rejected? Do you think it needs amended? You’re saying things that I can’t reconcile
>> how they relate to the PEP (and I’m apparently not the only one) nor can I convert
>> them into actionable feedback.
> Sorry that it's so unclear to you, Nick and Paul.  I tried my best.
> And i tried to make suggestions what to change, what to avoid, what
> kind of options pip would need to become safer etc..  That was all meant
> as useful feedback to get a better PEP and end result.
> But if you and Nick as authors refuse my suggestions (mainly:
> backward compat, more careful reasoning about multi-index ops) then i am
> currently clearly -1 on the PEP because i think it does more harm than good.
> And i'll let it all rest at that for a bit because i don't want to
> spend more time on it right now.

I think I responded why I had considered and then rejected the backwards
compatibility concern. We may just disagree on that point.

I don’t understand what “more careful reasoning about multi-index ops” means.
Maybe if you suggest a rewording or point to a specific part of the PEP that
you think should be removed/edited/added to?

If you’d rather not do that above that’s fine! Just saying if you care to spend
more time on it that maybe an explicit suggestion of what to change in the PEP
would be easier to understand.

Donald Stufft
PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

More information about the Distutils-SIG mailing list