On Wed, Feb 6, 2013 at 9:57 PM, Zygmunt Krynicki <[email protected]> wrote: >> Right, but then we are again back to trusting a central authority, >> in this case plone.org. If we can trust plone.org, why can't we >> trust Python.org? > > Because presumably plone foundation looks at the dependency list and > cares. Nobody here suggested that PSF should actively check what is > being uploaded to pypi.
This is again about trusting the authors of packages to not release packages that are malicious. This is a very minor problem compared to people doing man-in-the middle attacks on some random third-party server that loads of people are downloading software from. It's a problem that as you mention can only be fixed by having people review and check packages. That's not the problem we are trying to fix, although of course it's nice if whatever fix we choose also can cover that problem. PyPI is not viewed, should not be viewed and can not be viewed as a trusted source of software in as much that you know the software will reach a certain quality, etc. When we need to do is to prevent people from hacking/taking over it or pretending to be PyPI when they are not. //Lennart _______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
