On Fri, Nov 4, 2016 at 11:29 PM, Nick Coghlan <ncogh...@gmail.com> wrote:
> If I understand correctly, conda-forge works on the same basic > principle - reviewing the publishers before granting them publication > access, rather than defending against arbitrarily malicious code at > build time. > yup -- that's pretty much it. you need a conda-forge member to merge your PR before you get a "feedstock" tied into the system. I'm confused though -- IIUC, ANYONE can put something up on PyPi with arbitrary code in it that will get run by someone when they do pip install of it. So how is allowing anyone to push something to PyPi that will run arbitrary code on a CI server, that will push arbitrary code to PyPi that will then get run by anyone that pip installs it? Essentially, we have already said that there is no such thing as "trusting PyPi" -- you need to trust each individual package. So how in any sort of auto-build system going to change that?? -- Christopher Barker, Ph.D. Oceanographer Emergency Response Division NOAA/NOS/OR&R (206) 526-6959 voice 7600 Sand Point Way NE (206) 526-6329 fax Seattle, WA 98115 (206) 526-6317 main reception chris.bar...@noaa.gov
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
