[Distutils] distlib and wheel metadata
Jeremy Stanley
fungi at yuggoth.org
Fri Feb 17 08:18:51 EST 2017
On 2017-02-17 09:56:04 +0100 (+0100), Nick Coghlan wrote:
[...]
> So if we rely on a manual "publish with pinned dependencies", "get bug
> report from redistributor or app developer", "republish with unpinned
> dependencies", we'll be in a situation where:
>
> - the affected app developer or redistributor is going to have a negative
> experience with the project
> - the responsible publisher is either going to have a negative interaction
> with an end user or redistributor, or else they'll just silently move on to
> find an alternative library
> - we relinquish any control of the tone used when the publisher is alerted
> to the problem
>
> By contrast, if we design the metadata format such that *PyPI* can provide
> a suitable error message, then:
>
> - publishers get alerted to the problem *prior* to publication
> - end users and redistributors are unlikely to encounter the problem
> directly
> - we retain full control over the tone of the error notification
[...]
It seems like the same could be said of many common mistakes which
can be identified with some degree of certainty through analysis of
the contents being uploaded. Why not also scan for likely security
vulnerabilities with a static analyzer and refuse offending uploads
unless the uploader toggles the magic "yes I really mean it" switch?
Surely security issues are even greater downstream risks than simple
dependency problems. (NB: I'm not in favor of that either, just
nudging an example in the reductio ad absurdum direction.)
--
Jeremy Stanley
More information about the Distutils-SIG
mailing list