On Friday, February 22, 2013 at 6:47 PM, Giovanni Bajo wrote: > Il giorno 23/feb/2013, alle ore 00:44, Donald Stufft <[email protected] > (mailto:[email protected])> ha scritto: > > > On Friday, February 22, 2013 at 6:37 PM, Justin Cappos wrote: > > > > 1c) hide/show a package version > > > > > > > > > I need to look into this more. There are several ways this can be set > > > up and I need to understand more to know how to respond. Offhand, I > > > would say that having the developer sign and upload metadata indicating > > > hidden vs. visible is the most secure. From a usability perspective, > > > PyPI could sign something stating this instead, but this requires > > > trusting PyPI more than may be wise. Were it my system, I'd prefer the > > > former (and can talk more about risks with the latter), but either choice > > > seems reasonable. > > Hiding/showing a package on PyPI is only in the webui. It doesn't actually > > effect what the installation tools can find. > > > > > > Uh-uh, never known this until today. Then this is, by itself, a possible > security hole. I would like to see this fixed somehow (either removing the > feature, and making sure installation tools match the web ui experience). > -- > > > > >
Crate implements this by showing that the "hidden" version existed in the webui, but visually showing it as "crossed out" / removed.
_______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
