[Python-Dev] Keyword meanings [was: Accept just PEP-0426]

Barry Warsaw barry at python.org
Thu Dec 6 00:18:12 CET 2012

On Dec 05, 2012, at 06:07 PM, Donald Stufft wrote:

>If you're installing B you've prescribed trust to that author. If you don't
>trust the author then why are you installing (and then executing) code
>they wrote. 

What you installed Z, but B got installed because it was a dependency three
levels down?

>Very convenient to declare that one of the major use cases for
>Obsoletes over Obsoleted-By is not valid because of your own
>personal opinions. Like I said above, if you're installing a package
>that someone has uploaded you've implicitly granted them trust. There
>is far worse things that a bad Python citizen can do during, and after
>and install that what is allowed by Obsoletes.

Well, basically never installing anything from PyPI except into a virtualenv
is probably a good recommendation (maybe even now).

>End systems often times do not have a singular organization controlling
>every package in their system. The best example is Ubuntu and their PPA's. 

Well, PPAs are awesome, but have known and well-publicized trust issues.  I
wouldn't enable a PPA into my running system without really knowing who the
owner is and why I'm using their PPA.  Or doing a lot of testing in a chroot
first, and probably pinning the package set to just the one(s) from the PPA I
care about.


More information about the Python-Dev mailing list