On Mar 12, 2013, at 12:41 PM, "M.-A. Lemburg" <m...@egenix.com> wrote:
> On 12.03.2013 17:29, Jacob Kaplan-Moss wrote: >> On Tue, Mar 12, 2013 at 11:19 AM, M.-A. Lemburg <m...@egenix.com> wrote: >>> So let's do this carefully and find a good solution before >>> jumping to conclusions. >> >> Completely agreed; rushing is a bad idea. >> >> But so is not starting. What I'm seeing — as a total outsider, a user >> of these tools, not someone who creates them — is that a bunch of >> people (Holger, Donald, Richard, the pip maintainers, etc.) have the >> beginnings of a solution ready to go *right now*, and I want to >> capture that energy and enthusiasm before it evaporates. >> >> This isn't an academic situation; I've seen companies decline to adopt >> Python over this exact security issue. I can't share details in >> writing but ask me at PyCon and I can tell you some stories. >> Externally-hosted packages are a security risk, full stop. >> >> There's likely a even better solution involving strong cryptography >> and such, but there's also an incremental improvement on the table >> right now. Nobody's suggesting that we do this hastily or all at once, >> but there *is* a proposal to get the process started right now. Why >> shouldn't we get going while there's momentum? > > Sure; I'm just saying that we need to test drive the proposal > before actually adopting it. fwiw https://restricted.crate.io/ is the simple index minus any external url and has existed for over a year. I use it full time. and have others doing the same. > > I'm also trying to get some of the more radical unneeded changes > reconsidered. We don't need to break things just because we can - > let's leave that to our kids ;-) > > Holger has already addressed much of this in his V2 proposal > and apart from the time frame and some details, it looks good. > > Meanwhile, I've been playing around with the earlier proposal > I put forward: > > http://wiki.python.org/moin/PyPI/DownloadMetaDataProposal > > to secure external links and found several issues while > implementing it. It's easy to draw up a design, but you > only get down to the problems when actually trying to > implement it. > > -- > Marc-Andre Lemburg > eGenix.com > > Professional Python Services directly from the Source (#1, Mar 12 2013) >>>> Python Projects, Consulting and Support ... http://www.egenix.com/ >>>> mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/ >>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ > ________________________________________________________________________ > > ::::: Try our mxODBC.Connect Python Database Interface for free ! :::::: > > eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 > D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg > Registered at Amtsgericht Duesseldorf: HRB 46611 > http://www.egenix.com/company/contact/ > _______________________________________________ > Catalog-SIG mailing list > Catalog-SIG@python.org > http://mail.python.org/mailman/listinfo/catalog-sig ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig