[Distutils] continuous integration options (was Re: Travis-CI is not open source, except in fact it *is* open source)

Chris Barker chris.barker at noaa.gov
Sun Nov 6 16:20:11 EST 2016


On Fri, Nov 4, 2016 at 11:29 PM, Nick Coghlan <ncoghlan at gmail.com> wrote:

> If I understand correctly, conda-forge works on the same basic
> principle - reviewing the publishers before granting them publication
> access, rather than defending against arbitrarily malicious code at
> build time.
>

yup -- that's pretty much it. you need a conda-forge member to merge your
PR before you get a "feedstock" tied into the system.

I'm confused though -- IIUC, ANYONE can put something up on PyPi with
arbitrary code in it that will get run by someone when they do pip install
of it.

So how is allowing anyone to push something to PyPi that will run arbitrary
code on a CI server, that will push arbitrary code to PyPi that will then
get run by anyone that pip installs it?

Essentially, we have already said that there is no such thing as "trusting
PyPi" -- you need to trust each individual package. So how in any sort of
auto-build system going to change that??



-- 

Christopher Barker, Ph.D.
Oceanographer

Emergency Response Division
NOAA/NOS/OR&R            (206) 526-6959   voice
7600 Sand Point Way NE   (206) 526-6329   fax
Seattle, WA  98115       (206) 526-6317   main reception

Chris.Barker at noaa.gov
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20161106/6fd50cb2/attachment.html>


More information about the Distutils-SIG mailing list