On Thu, Jun 1, 2017, at 06:32 PM, Matt Joyce wrote: > It's basically a test dummy package that reports users who have ran > that package template. That's what I thought, but all the code to do the upload seems to have been removed before s/he built those packages. Now it's just a harmless warning, unless I'm missing something. https://github.com/fate0/cookiecutter-evilpy-package/commit/a3ed1e1e060748b0444158ea3bc569dfbf57645e > the site referenced lists the package name that the user ran to get > posted to the site. there appear to be many packages in pypi that > are built off this fatezero template. There *appear* to be, but I checked several of the names listed there, and they're not on PyPI: https://pypi.python.org/pypi/tkinter https://pypi.python.org/pypi/memcached https://pypi.python.org/pypi/vtk https://pypi.python.org/pypi/python-dev https://pypi.python.org/pypi/opencv
So I wonder if the data is fake. Or maybe they were already taken down? Or the installations are real, but not using those names. > pypi is not a very good package management solution. most folks I > advise to build from pypi in CI/CD but push to production via a real > package management solution such as apt or yum. always double check > sources coming from the internet. It's an open repository that anyone can upload to. That has its drawbacks and its advantages.
_______________________________________________ Distutils-SIG maillist - [email protected] https://mail.python.org/mailman/listinfo/distutils-sig
