[Catalog-sig] Proposal: close the PyPI file-replacement loophole
Martijn Faassen
faassen at startifact.com
Sat Feb 4 21:12:29 CET 2012
On 02/01/2012 01:40 AM, Terry Reedy wrote:
> On 1/31/2012 6:43 PM, Donald Stufft wrote:
>> I don't think anyone is arguing that it's not occasionally useful. The
>> question to answer is the occasional usefulness worth the risks that
>> come with it. In my opinion the small utility (being able to correct a
>> borked packaging job) is not worth the risks to both my applications
>> stability, and the security of my entire system.
>
> The question is whether, on each issue, PyPI should be optimized for
> authors (who provide their modules for free) or for users. Both choices
> are defensible. However, if all choices are made in favor of users,
> there will very likely be fewer things uploaded or even listed, which is
> not favorable for users.
I don't think it's a simple dichotomy. If the authors follow certain
best practices they might retain more users, say. And if system is great
for users and has lots of them, that motivates authors to work with it.
Regards,
Martijn
More information about the Catalog-SIG
mailing list