On 7 November 2016 at 07:20, Chris Barker wrote:
> So how is allowing anyone to push something to PyPi that will run arbitrary
> code on a CI server, that will push arbitrary code to PyPi that will then
> get run by anyone that pip installs it?
PyPI currently has the ability to impersonate any Py
On Fri, Nov 4, 2016 at 11:29 PM, Nick Coghlan wrote:
> If I understand correctly, conda-forge works on the same basic
> principle - reviewing the publishers before granting them publication
> access, rather than defending against arbitrarily malicious code at
> build time.
>
yup -- that's pretty
