[Catalog-sig] Proposal: close the PyPI file-replacement loophole
Donald Stufft
donald.stufft at gmail.com
Wed Feb 1 01:41:32 CET 2012
Which suggestions did I ignore?
On Tuesday, January 31, 2012 at 7:40 PM, Terry Reedy wrote:
> On 1/31/2012 6:43 PM, Donald Stufft wrote:
> > I don't think anyone is arguing that it's not occasionally useful. The
> > question to answer is the occasional usefulness worth the risks that
> > come with it. In my opinion the small utility (being able to correct a
> > borked packaging job) is not worth the risks to both my applications
> > stability, and the security of my entire system.
> >
>
>
> The question is whether, on each issue, PyPI should be optimized for
> authors (who provide their modules for free) or for users. Both choices
> are defensible. However, if all choices are made in favor of users,
> there will very likely be fewer things uploaded or even listed, which is
> not favorable for users.
>
> It is hard to take your security concerns too seriously when you
> consistently ignore security suggestions. Prohibiting deletion or
> replacement by authors will give you no protection against the site
> being compromised by other means, whereas the suggestions you ignore would.
>
> --
> Terry Jan Reedy
>
> _______________________________________________
> Catalog-SIG mailing list
> Catalog-SIG at python.org (mailto:Catalog-SIG at python.org)
> http://mail.python.org/mailman/listinfo/catalog-sig
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20120131/46a5fec5/attachment-0001.html>
More information about the Catalog-SIG
mailing list