Victor Stinner <victor.stin...@gmail.com> wrote: > I don't understand your email. Can you please elaborate?
There is nothing wrong with the package. The remark is a joke provoked by a long history of a campaign [1] against external packages on distutils-sig. Many tools (like crate.io, when it was still up) have made derogatory remarks about external packages. Now the latest version of the officially sanctioned download tool (pip) spits out copious warnings, one of which is the subject of this thread. External packages are being singled out unfairly: 1) Anyone can upload any package to PyPI (i.e. the index is not curated at all). 2) Last time I looked, access credentials (via "lost login") were sent out in plaintext. 3) AFAIK people can upload a different (malicious) version of a package with *the exact same name*. 4) pip generally downloads the latest version, so a malicious person can provide a good package for several years until people trust him, then change to a trojaned version. 5) Looking at the list of certificates that is in my default cert store, I don't find SSL trustworthy at all. 6) D.J. Bernstein, who is somewhat security minded, has been shipping his software *for years* with just plain HTTP and published checksums. To sum it up: 1) Don't use pip to install packages directly from PyPI if security really matters. 2) The best security we currently get is either a) with package signatures (*if* you can get the author's key via a trustworthy channel, which is rarely the case). b) with decent checksums that are recorded on public mailing lists at the time the package is announced (it would be hard for an attacker to modify all mailing list archives.) Whether a package is internal or external is orthogonal to both points. With all these points, I find it questionable for an "official" install tool to make security related remarks about just one category of weaknesses. After all, people might be led to believe that pip is some sort of apt-get and all uploaded packages are safe. Stefan Krah [1] Note that the joke is quite innocent in comparison to what I've read on distutils-sig about the subject. _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com