On Tue, Mar 12, 2013 at 11:19 AM, M.-A. Lemburg <m...@egenix.com> wrote: > So let's do this carefully and find a good solution before > jumping to conclusions.
Completely agreed; rushing is a bad idea. But so is not starting. What I'm seeing — as a total outsider, a user of these tools, not someone who creates them — is that a bunch of people (Holger, Donald, Richard, the pip maintainers, etc.) have the beginnings of a solution ready to go *right now*, and I want to capture that energy and enthusiasm before it evaporates. This isn't an academic situation; I've seen companies decline to adopt Python over this exact security issue. I can't share details in writing but ask me at PyCon and I can tell you some stories. Externally-hosted packages are a security risk, full stop. There's likely a even better solution involving strong cryptography and such, but there's also an incremental improvement on the table right now. Nobody's suggesting that we do this hastily or all at once, but there *is* a proposal to get the process started right now. Why shouldn't we get going while there's momentum? Jacob _______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig