[Catalog-sig] [DRAFT] Proposal for fixing PyPI/pip security
Donald Stufft
donald.stufft at gmail.com
Sat Feb 23 00:44:23 CET 2013
On Friday, February 22, 2013 at 6:37 PM, Justin Cappos wrote:
> > 1c) hide/show a package version
> >
> >
>
>
> I need to look into this more. There are several ways this can be set up and I need to understand more to know how to respond. Offhand, I would say that having the developer sign and upload metadata indicating hidden vs. visible is the most secure. From a usability perspective, PyPI could sign something stating this instead, but this requires trusting PyPI more than may be wise. Were it my system, I'd prefer the former (and can talk more about risks with the latter), but either choice seems reasonable.
Hiding/showing a package on PyPI is only in the webui. It doesn't actually effect what the installation tools can find.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130222/cab9813f/attachment.html>
More information about the Catalog-SIG
mailing list