On Tue, Feb 5, 2013 at 3:06 PM, Holger Krekel <[email protected]> wrote: > I wouldn't assume that maintainers are easily reachable. I've contacted at > least three people of different (>1K downloads) packages which never > responded.
We really can't do very much about abandoned packages. > And of course, i didn't mean to imply that already installed packages would > suddenly break. Rather that installation instructions like "use pip install > X" will just fail with some dependency "Y" not getting installed. Or > getting installed in some random lower version which might contain evil bugs > (including security bugs). For exmaple, the referenced "lockfile" project > has a "0.2" release on pypi, but is currently at 0.9. There is no way around that problem, except other people than the maintainers uploading the software to PyPI. That's certainly an option, and I have no good argument against it, but I don't like it. (Obviously it can only be done for software marked with relevant licenses). > In the end, however, none of this prevents MITM attacks between a downloader > and pypi.python.org. Sure, and that's another problem, and the low-hanging fruit there is using https. > If a signature is available (also at a download_url site), then we can > exclude undetected > tampering. If they can change the file at the download_url site, then they surely can change the signature? //Lennart _______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
