[Distutils] PEP470 installation security problems

Chris Jerdonek chris.jerdonek at gmail.com
Wed Oct 8 17:08:15 CEST 2014

I have a suggestion.  Holger obviously feels he has something very
important to say, and a lot of e-mails have already been sent back and
forth.  Is there some way that Donald, Nick, and Holger could perhaps have
a conference call or hangout of some sort just for the purpose of
understanding and/or confirming exactly what his concern is (and, if
possible, coming to agreement on a resolution)?  And then the result of
that conversation can be summarized for the list?  I think that might be
more constructive at this point and courteous to Holger.  I know that for
me, sometimes "a quick phone call" can do wonders.


On Wed, Oct 8, 2014 at 6:13 AM, Donald Stufft <donald at stufft.io> wrote:

> > On Oct 8, 2014, at 8:59 AM, holger krekel <holger at merlinux.eu> wrote:
> >
> > On Wed, Oct 08, 2014 at 08:47 -0400, Donald Stufft wrote:
> >>> On Oct 8, 2014, at 8:43 AM, holger krekel <holger at merlinux.eu> wrote:
> >>>
> >>> On Wed, Oct 08, 2014 at 22:18 +1000, Nick Coghlan wrote:
> >>>> On 8 October 2014 21:40, holger krekel <holger at merlinux.eu> wrote:
> >>>>>
> >>>>> No, i am not concerned about the extra index supplying whatever
> packages.
> >>>>> After all, the users specifies the option and should trust that
> index.
> >>>>>
> >>>>> I am concerned about the fact that public PyPI links are merged in
> even
> >>>>> for my private packages residing on the extra index.
> >>>>
> >>>> That's what a default repository *does*. It's always on, unless you
> >>>> explicitly turn it off. Hence the name *extra index*. The index URL
> >>>> option is the one to use if you want to *replace* the index.
> >>>
> >>> Nick, i don't know why you are saying this.  Do you think i don't know
> this?
> >>>
> >>> My point is that PyPI makes for a very different default repository
> than the
> >>> Debian or Redhat one.  Or do you disagree there?
> >>
> >> If you understand that, then your statements in here don’t make any
> sense to me.
> >>
> >> What is it you’re trying to achieve exactly? Do you think the PEP
> should be
> >> rejected? Do you think it needs amended? You’re saying things that I
> can’t reconcile
> >> how they relate to the PEP (and I’m apparently not the only one) nor
> can I convert
> >> them into actionable feedback.
> >
> > Sorry that it's so unclear to you, Nick and Paul.  I tried my best.
> > And i tried to make suggestions what to change, what to avoid, what
> > kind of options pip would need to become safer etc..  That was all meant
> > as useful feedback to get a better PEP and end result.
> >
> > But if you and Nick as authors refuse my suggestions (mainly:
> > backward compat, more careful reasoning about multi-index ops) then i am
> > currently clearly -1 on the PEP because i think it does more harm than
> good.
> >
> > And i'll let it all rest at that for a bit because i don't want to
> > spend more time on it right now.
> I think I responded why I had considered and then rejected the backwards
> compatibility concern. We may just disagree on that point.
> I don’t understand what “more careful reasoning about multi-index ops”
> means.
> Maybe if you suggest a rewording or point to a specific part of the PEP
> that
> you think should be removed/edited/added to?
> If you’d rather not do that above that’s fine! Just saying if you care to
> spend
> more time on it that maybe an explicit suggestion of what to change in the
> would be easier to understand.
> ---
> Donald Stufft
> PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
> _______________________________________________
> Distutils-SIG maillist  -  Distutils-SIG at python.org
> https://mail.python.org/mailman/listinfo/distutils-sig
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20141008/631c6ce3/attachment.html>

More information about the Distutils-SIG mailing list