On Wed, Oct 08, 2014 at 21:22 +1000, Nick Coghlan wrote: > On 8 October 2014 20:57, holger krekel <[email protected]> wrote: > > On Wed, Oct 08, 2014 at 20:27 +1000, Nick Coghlan wrote: > > Well, for installing NAME from pypi you need to trust that the people > > who registered and maintain NAME are not doing something bad (and the > > machine is not compromised but in that case all bets are off obviously). > > And i can make a choice to trust "django", "flask, "warehouse" and other > > pypi names. I am exposing myself to whatever the maintainers published > > but it's my choice. This is a very different thing compared to: > > > > pip install --extra-index http://private.repo mypackage > > > > I may think i am trusting just "mypackage" from my private repo. > > But in fact i am betting on nobody uploading "mypackage" to the pypi wiki. > > I don't think this is very obvious to many -- it certainly wasn't > > at EuroPython2014. > > So your concern is specifically with the fact that some users are not > currently aware that "--extra-index" adds an *extra* index (which can > then supply *any* package, as can the default index), and not a > *replacement* index, and that they need to use --index-url in order to > completely override the default index?
No, i am not concerned about the extra index supplying whatever packages. After all, the users specifies the option and should trust that index. I am concerned about the fact that public PyPI links are merged in even for my private packages residing on the extra index. > Would you be more comfortable if the existing admonition in PEP 470 to > use a private devpi instance with whitelisting in situations with a > low security risk tolerance was accompanied by a concrete example that > noted the appropriate option to use for private index URLs?: > > pip install --index-url private-repo.example.com mypackage I rather think the whole rationale "Why additional repositories?" section of the PEP needs a re-work and specifically not recommend --extra-index-url. Contrary to what Donald and Paul claim i don't see it discussing just the particular issue of using extra indexes for publically registered packages: http://legacy.python.org/dev/peps/pep-0470/#why-additional-repositories best, holger _______________________________________________ Distutils-SIG maillist - [email protected] https://mail.python.org/mailman/listinfo/distutils-sig
