On 1/31/2012 6:43 PM, Donald Stufft wrote:
I don't think anyone is arguing that it's not occasionally useful. The question to answer is the occasional usefulness worth the risks that come with it. In my opinion the small utility (being able to correct a borked packaging job) is not worth the risks to both my applications stability, and the security of my entire system.
The question is whether, on each issue, PyPI should be optimized for authors (who provide their modules for free) or for users. Both choices are defensible. However, if all choices are made in favor of users, there will very likely be fewer things uploaded or even listed, which is not favorable for users.
It is hard to take your security concerns too seriously when you consistently ignore security suggestions. Prohibiting deletion or replacement by authors will give you no protection against the site being compromised by other means, whereas the suggestions you ignore would.
-- Terry Jan Reedy _______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
