[Python-Dev] Keyword meanings [was: Accept just PEP-0426]
Barry Warsaw
barry at python.org
Thu Dec 6 00:18:12 CET 2012
On Dec 05, 2012, at 06:07 PM, Donald Stufft wrote:
>If you're installing B you've prescribed trust to that author. If you don't
>trust the author then why are you installing (and then executing) code
>they wrote.
What you installed Z, but B got installed because it was a dependency three
levels down?
>Very convenient to declare that one of the major use cases for
>Obsoletes over Obsoleted-By is not valid because of your own
>personal opinions. Like I said above, if you're installing a package
>that someone has uploaded you've implicitly granted them trust. There
>is far worse things that a bad Python citizen can do during, and after
>and install that what is allowed by Obsoletes.
Well, basically never installing anything from PyPI except into a virtualenv
is probably a good recommendation (maybe even now).
>End systems often times do not have a singular organization controlling
>every package in their system. The best example is Ubuntu and their PPA's.
Well, PPAs are awesome, but have known and well-publicized trust issues. I
wouldn't enable a PPA into my running system without really knowing who the
owner is and why I'm using their PPA. Or doing a lot of testing in a chroot
first, and probably pinning the package set to just the one(s) from the PPA I
care about.
Cheers,
-Barry
More information about the Python-Dev
mailing list