Donald Stufft <don...@stufft.io> wrote: > There is support for trusted externally hosted packages, you put the URL in > PyPI and include a hash in the fragment like so: > > http://www.bytereef.org/software/mpdecimal/releases/cdecimal-2.3.tar.gz#md5=655f9fd72f7a21688f903900ebea6f56
That is exactly the mode I was using until today. This mode produced the subject's warning message. Today I've switched to manual install mode with manual sha256sum verification which is *far* safer than anything you get via pip right now. > [2] For the definition of safe that PyPI/pip operate under, which is that the > author of a package is assumed to be trusted by the person electing to > download their package. No, there are other holes, which you have conceded in your previous mail. > I don't think the warning is FUD, and it doesn't mention anything security > related at all. The exact text of the warning is in the subject of the email > here: > > cdecimal an externally hosted file and may be unreliable > > Which is true as far as I can tell, it is externally hosted, and it may be > unreliable[1]. If there is a better wording for that I?m happy to have it and > will gladly commit it myself to pip. Do you honestly not see a difference between the cited warning and the *intended* warning "the server's availability may be unreliable"? Even the latter is FUD or a truism (it applies to any server). The real question is: Why is there a warning if the person running pip has explicitly allowed external packages? Stefan Krah _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
