On Wed, Feb 1, 2012 at 5:18 PM, Antoine Pitrou <solip...@pitrou.net> wrote:
> Donald Stufft <donald.stufft <at> gmail.com> writes: > > I don't even understand why people are having this discussion. PyPI is > not a > > packaging *authority*. It's not Debian or Fedora or anything like that. > It's > > just a place for people to publish files and metadata. You can't trust > it any > > more than you can trust the uploaders themselves. > > > > Semantics arguments are boring and tired. > > Just because you don't understand them doesn't make them irrelevant. > PyPI is *not* secure. Any maintainer can upload whatever (s)he wants. You > are > asking for a fix that won't do any good for the general problem. > [...] > Regards > > Antoine. > > > With that attitude you must really hate bumping release versions. Anyhow, it's a simple best practice that was the original design of the system. As was mentioned, of course there are more vulnerabilities. Improving the system one part at a time would still be a good idea. This feature would be a big win in security and sanity for a very small cost of convenience for very rare occasions and needs. Yuval
_______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
