[Catalog-sig] Use user-specific site-packages by default?
Lennart Regebro
regebro at gmail.com
Tue Feb 5 14:34:50 CET 2013
On Tue, Feb 5, 2013 at 2:18 PM, Donald Stufft <donald.stufft at gmail.com> wrote:
> A longer depreciation wouldn't be a bad thing merely because a lot
> of people depend on this feature without even realizing it. Crate has
> an index you can use that removes all external urls to test your own
> projects on. --index-url=https://restricted.crate.io/ (through pip).
>
> Or rather a short depreciation in the tools where they'll crawl external
> links by default, and a long depreciation where they'll do it with an
> --enable-unsafe-externals or something.
>
> I certainly agree, though, that the current client-side crawling is a
> nuisance and makes for unreliability of installation procedures. I think we
> should move the crawling to the server side and cache packages.
Whatever we do to fix the PyPI security it *will* break all the
packages that now exist on third-party servers. As long as unsigned
packages from third-party servers are allowed, we have a big honking
security hole. I'm now almost sorry I suggested a deprecation period,
as this gives the wrong impression.
So forget about it. I'm now suggesting a different deprecation: For a
couple of versions of Distribute and pip, we continue to crawl, but do
not install the packages. Instead we exist with "Package found at
<url>, but packages from third-party servers are not installed by
easy_install because they pose a security issue."
//Lennart
More information about the Catalog-SIG
mailing list