On Dec 05, 2012, at 06:07 PM, Donald Stufft wrote: >If you're installing B you've prescribed trust to that author. If you don't >trust the author then why are you installing (and then executing) code >they wrote.
What you installed Z, but B got installed because it was a dependency three levels down? >Very convenient to declare that one of the major use cases for >Obsoletes over Obsoleted-By is not valid because of your own >personal opinions. Like I said above, if you're installing a package >that someone has uploaded you've implicitly granted them trust. There >is far worse things that a bad Python citizen can do during, and after >and install that what is allowed by Obsoletes. Well, basically never installing anything from PyPI except into a virtualenv is probably a good recommendation (maybe even now). >End systems often times do not have a singular organization controlling >every package in their system. The best example is Ubuntu and their PPA's. Well, PPAs are awesome, but have known and well-publicized trust issues. I wouldn't enable a PPA into my running system without really knowing who the owner is and why I'm using their PPA. Or doing a lot of testing in a chroot first, and probably pinning the package set to just the one(s) from the PPA I care about. Cheers, -Barry _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com