[Catalog-sig] an immutable mirror of PyPI
M.-A. Lemburg
mal at egenix.com
Tue Jul 19 00:04:09 CEST 2011
Terry Reedy wrote:
> On 7/16/2011 6:58 AM, Martijn Faassen wrote:
>
>> Okay, so this scenario is possible:
>>
>> * developer of a popular package gets fed up for unknown reasons
>>
>> * removes his package from PyPI (not realizing the thing below)
>>
>> * someone else notices this and recreates the package maliciously
>
> pypi could prohibit the reuse of deleted package names.
> If a name was 'retired' for legal reasons, then it should stay retired
> anyway.
Recycling of package names can very well have a real and honest
background, e.g. if someone decides to give a package name to someone
else for whatever reason. Happens in DNS all the time.
BTW: To address your repeatability/security concerns, the tools you are
using would also have to store the hash check sum of the downloaded
packages together with the version. AFAIK, buildout only pins down
versions, not MD5/SHA1 sums.
--
Marc-Andre Lemburg
eGenix.com
Professional Python Services directly from the Source (#1, Jul 18 2011)
>>> Python/Zope Consulting and Support ... http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
________________________________________________________________________
::: Try our new mxODBC.Connect Python Database Interface for free ! ::::
eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
Registered at Amtsgericht Duesseldorf: HRB 46611
http://www.egenix.com/company/contact/
More information about the Catalog-SIG
mailing list