On 8 October 2014 20:06, holger krekel <[email protected]> wrote:
> Given that PyPI is a wiki and Linux Distros are a curated index, i
> insist it's dangerous to recommend to mix multiple indexes with pip if
> you don't know quite exactly what you are doing. Do you really disagree
> on this?
Hence this line in the PEP:
End users wishing to limit what files they pull from which
repository can simply use devpi to whitelist projects from PyPI or
another repository.
Anyone running a private PyPI mirror without disabling the use of
upstream indexes entirely is already running their infrastructure in a
dangerously insecure configuration. That has nothing to do with PEP
470.
Regards,
Nick.
--
Nick Coghlan | [email protected] | Brisbane, Australia
_______________________________________________
Distutils-SIG maillist - [email protected]
https://mail.python.org/mailman/listinfo/distutils-sig
