Terry Reedy wrote: > On 7/16/2011 6:58 AM, Martijn Faassen wrote: > >> Okay, so this scenario is possible: >> >> * developer of a popular package gets fed up for unknown reasons >> >> * removes his package from PyPI (not realizing the thing below) >> >> * someone else notices this and recreates the package maliciously > > pypi could prohibit the reuse of deleted package names. > If a name was 'retired' for legal reasons, then it should stay retired > anyway.
Recycling of package names can very well have a real and honest background, e.g. if someone decides to give a package name to someone else for whatever reason. Happens in DNS all the time. BTW: To address your repeatability/security concerns, the tools you are using would also have to store the hash check sum of the downloaded packages together with the version. AFAIK, buildout only pins down versions, not MD5/SHA1 sums. -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Jul 18 2011) >>> Python/Zope Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ ::: Try our new mxODBC.Connect Python Database Interface for free ! :::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ _______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
