On 30/01/2012 21:27, Yuval Greenfield wrote:
A little off-topic, but I always find it strange that some users of PyPI
appear to trust package authors with the software they put up on PyPI,
but don't trust them when it comes to the release process.
Very strange indeed...
I don't trust "package authors".
I do trust specific versions of specific packages that I've tested.
If I can't trust PyPI to always give me the exact same result for a
specific package-version then I can't use it.
IOW if a hacked maintainer account can modify existing releases - PyPI
is a very real attack vector into many existing systems.
Tin foil hats all round ;-)
Chris
--
Simplistix - Content Management, Batch Processing & Python Consulting
- http://www.simplistix.co.uk
_______________________________________________
Catalog-SIG mailing list
[email protected]
http://mail.python.org/mailman/listinfo/catalog-sig
