[Python-Dev] pip: cdecimal an externally hosted file and may be unreliable [sic]
Stefan Krah
stefan at bytereef.org
Thu May 8 16:36:50 CEST 2014
Donald Stufft <donald at stufft.io> wrote:
> There is support for trusted externally hosted packages, you put the URL in
> PyPI and include a hash in the fragment like so:
>
> http://www.bytereef.org/software/mpdecimal/releases/cdecimal-2.3.tar.gz#md5=655f9fd72f7a21688f903900ebea6f56
That is exactly the mode I was using until today. This mode produced the
subject's warning message.
Today I've switched to manual install mode with manual sha256sum verification
which is *far* safer than anything you get via pip right now.
> [2] For the definition of safe that PyPI/pip operate under, which is that the
> author of a package is assumed to be trusted by the person electing to
> download their package.
No, there are other holes, which you have conceded in your previous mail.
> I don't think the warning is FUD, and it doesn't mention anything security
> related at all. The exact text of the warning is in the subject of the email
> here:
>
> cdecimal an externally hosted file and may be unreliable
>
> Which is true as far as I can tell, it is externally hosted, and it may be
> unreliable[1]. If there is a better wording for that I?m happy to have it and
> will gladly commit it myself to pip.
Do you honestly not see a difference between the cited warning and the
*intended* warning "the server's availability may be unreliable"?
Even the latter is FUD or a truism (it applies to any server).
The real question is: Why is there a warning if the person running pip
has explicitly allowed external packages?
Stefan Krah
More information about the Python-Dev
mailing list