Or start doing signed pgp for package maintainers and build a transitive trust model.
On Jun 1, 2017 8:14 PM, wrote: Force packages to match their higher level import namespace in future major Python versions and PEP it. On Jun 1, 2017 7:37 PM, "Noah Kantrowitz" <[email protected]> wrote: > On Jun 1, 2017, at 4:00 PM, Nick Timkovich <[email protected]> wrote: > > This issue was also brought up in January at https://github.com/pypa/pypi- legacy/issues/585 then just as after the initial "typosquatting PyPI" report (June 2016) it's met with resounding silence. Attacking the messenger doesn't seem like a winning move from a security standpoint. > > Can we come up with a plan to address the underlying issue and protect users? If you have a systemic solution I'm sure we would love to hear it :) --Noah _______________________________________________ Distutils-SIG maillist - [email protected] https://mail.python.org/mailman/listinfo/distutils-sig
_______________________________________________ Distutils-SIG maillist - [email protected] https://mail.python.org/mailman/listinfo/distutils-sig
