[Catalog-sig] Use user-specific site-packages by default?
Nick Coghlan
ncoghlan at gmail.com
Tue Feb 5 16:10:29 CET 2013
On Wed, Feb 6, 2013 at 1:06 AM, Donald Stufft <donald.stufft at gmail.com> wrote:
> On Tuesday, February 5, 2013 at 9:53 AM, holger krekel wrote:
>
> Point taken. I guess unless someone sits down and writes a PEP-ish path for
> fortification, it's gonna be hard to assess viability and resilience
> against the several attack vectors which should be sorted/prioritized.
>
> Or is somebody on that already? (there were hints of some background
> discussions - not sure that's helping much as most attack vectors against
> the python packaging ecosystem are kind of well known or easy to guess after
> a bit of research and experimentation).
>
> There are easy wins to take care of before we go this route. It's a *hard*
> problem that on the surface appears easy. I've personally got some ideas
> and I'm sure others do as well, but focusing on the hard problems when there
> are several low hanging fruit is a red herring IMO.
The background discussions Holger mentioned earlier are actually aimed
at picking some of those low hanging front (a lot of it related to the
general provision of the PSF infrastructure at OSU/OSL and making it
easier to improve PyPI's handling of HTTPS).
Cheers,
Nick.
--
Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia
More information about the Catalog-SIG
mailing list