[Catalog-sig] Proposal: close the PyPI file-replacement loophole
Antoine Pitrou
solipsis at pitrou.net
Wed Feb 1 15:29:11 CET 2012
Yuval Greenfield <ubershmekel <at> gmail.com> writes:
>
> Obviously this isn't the only problem if the account of an SQLAlchemy
> maintainer is compromised - other threats can manifest as well.
So, why you think PyPI has to have protections against the hacking of
maintainers' accounts is beyond me. That's a completely unreasonable
expectation.
Besides, being able to delete a release is mandatory (imagine you have uploaded
confidential files by mistake).
I don't even understand why people are having this discussion. PyPI is not a
packaging *authority*. It's not Debian or Fedora or anything like that. It's
just a place for people to publish files and metadata. You can't trust it any
more than you can trust the uploaders themselves.
Regards
Antoine.
More information about the Catalog-SIG
mailing list