[Distutils] some questions about PEP470

Paul Moore p.f.moore at gmail.com
Mon Oct 13 14:37:49 CEST 2014

On 13 October 2014 13:08, holger krekel <holger at merlinux.eu> wrote:
> On Mon, Oct 13, 2014 at 12:00 +0100, Paul Moore wrote:
>> On 13 October 2014 11:40, holger krekel <holger at merlinux.eu> wrote:
>> > and I just noted that the very Python guide on packaging is advertising
>> > using plain --extra-index-url for private packages as well:
>> >
>> > http://docs.python-guide.org/en/latest/shipping/packaging/#personal-pypi
>> I can see your point here (I'm not sure I agree with it, but that's a
>> separate issue).
> Sorry but what is there to agree or discuss?  If recommending
> --extra-index-url for private packages does not come with a big fat
> warning that you need to publically register the name with PyPI,
> it exposes users to direct compromise of their machine, plain and simple.

I would view it as a matter of the trust model. If you don't trust
PyPI, then you should not download direct from there. That applies
whether or not you have a private index as well. if you do trust PyPI,
then you presumably understand the risks.

I'd be happy enough to see a note that whenever you use pip without
specifying --no-index you trust PyPI. I don't mind if there's a
further note that if you serve packages from your local index they
will be considered as equal candidates with packages of the same name
on PyPI *regardless of who uploaded them to PyPI*.

But I don't accept that there's a need to over-stress the risk. After
all, if I mistype an install command as "pip install devpy", I'm just
as exposed to compromise of my machine.


More information about the Distutils-SIG mailing list