[Python-Dev] Status of packaging in 3.3
Donald Stufft
donald.stufft at gmail.com
Fri Jun 22 12:35:27 CEST 2012
On Friday, June 22, 2012 at 5:52 AM, Dag Sverre Seljebotn wrote:
>
> The reason PyPI isn't one big security risk is that packages are built
> from source, and so you can have some confidence that backdoors would be
> noticed and highlighted by somebody.
>
> Having a common standards for binary installation phase would be great
> sure, but security-minded users would still need to build from source in
> every case (or trust a 3rt party build farm that builds from source).
> The reason you can trust RPMs at all is because they're built from SRPMs.
>
> Dag
The reason you trust RPM's is not because they are built from SRPM's,
but because you trust the people running the repositories. In the case of PyPI
you can't make a global call to implicitly trust all packages because there is
no gatekeeper as in an RPM system, so it falls to the individual to decide
for him or herself which authors they trust and which authors they do not trust.
But this proposal alludes to both source dists and built dists, either which may
be published and installed from.
In the case of a source dist the package format would include all the metadata
of the package. Included in that is a python script that knows how to build this
particular package (if special steps are required). This script could simply call
out to an already existing build system, or if simple enough work on it's own.
Source dists would also obviously contain the source.
In the case of a binary dist the package format would include all the metadata
of the package, plus the binary files.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20120622/00503178/attachment.html>
More information about the Python-Dev
mailing list