On 8 October 2014 20:06, holger krekel <hol...@merlinux.eu> wrote:
> Given that PyPI is a wiki and Linux Distros are a curated index, i
> insist it's dangerous to recommend to mix multiple indexes with pip if
> you don't know quite exactly what you are doing. Do you really disagree
> on this?
Hence this line in the PEP:
End users wishing to limit what files they pull from which
repository can simply use devpi to whitelist projects from PyPI or
another repository.
Anyone running a private PyPI mirror without disabling the use of
upstream indexes entirely is already running their infrastructure in a
dangerously insecure configuration. That has nothing to do with PEP
470.
Regards,
Nick.
--
Nick Coghlan | ncogh...@gmail.com | Brisbane, Australia
_______________________________________________
Distutils-SIG maillist - Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig
