On 22/05/2019 06.59, Stephen J. Turnbull wrote: > Christian Heimes writes: > > > It's all open source. It's up to the Python community to adopt > > packages and provide them on PyPI. > > > > Python core will not maintain and distribute the packages. I'll > > merely provide a repository with packages to help kick-starting the > > process. > > This looks to me like an opening to a special class of supply chain > attacks. I realize that PyPI is not yet particularly robust to such > attacks, and we have seen "similar name" attacks (malware uploaded > under a name similar to a popular package). ISTM that this approach > to implementing the PEP will enable "identical name" attacks. (By > download count, stdlib packages are as popular as Python. :-)
I don't consider this an argument against my proposal, but an argument in favor of improving PyPI. <sarcasm> I propose a deal: If you get PEP 453 (ensurepip) revoked, ensurepip removed from the standard library, and the recommendation for the requests package on urllib.request replaced with a big, fat security warning, then I'll reconsider my proposal to recommend PyPI. </sarcasm> :) My PEP acts in good faith. As long as CPython's stdlib ships pip and embraces PyPI, I don't see any reason to distrust PyPI. Yes, PyPI is not Fort Knox. In my humble opinion it's more than secure enough for my proposal. Christian _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
