[Distutils] some questions about PEP470

[Paul Moore]

On 13 October 2014 13:08, holger krekel <holger at merlinux.eu> wrote:
> On Mon, Oct 13, 2014 at 12:00 +0100, Paul Moore wrote:
>> On 13 October 2014 11:40, holger krekel <holger at merlinux.eu> wrote:
>> > and I just noted that the very Python guide on packaging is advertising
>> > using plain --extra-index-url for private packages as well:
>> >
>> > http://docs.python-guide.org/en/latest/shipping/packaging/#personal-pypi
>>
>> I can see your point here (I'm not sure I agree with it, but that's a
>> separate issue).
>
> Sorry but what is there to agree or discuss?  If recommending
> --extra-index-url for private packages does not come with a big fat
> warning that you need to publically register the name with PyPI,
> it exposes users to direct compromise of their machine, plain and simple.

I would view it as a matter of the trust model. If you don't trust
PyPI, then you should not download direct from there. That applies
whether or not you have a private index as well. if you do trust PyPI,
then you presumably understand the risks.

I'd be happy enough to see a note that whenever you use pip without
specifying --no-index you trust PyPI. I don't mind if there's a
further note that if you serve packages from your local index they
will be considered as equal candidates with packages of the same name
on PyPI *regardless of who uploaded them to PyPI*.

But I don't accept that there's a need to over-stress the risk. After
all, if I mistype an install command as "pip install devpy", I'm just
as exposed to compromise of my machine.

Paul.