[Distutils] PEP 470 discussion, part 3
Donald Stufft
donald at stufft.io
Thu Jul 24 01:20:17 CEST 2014
On July 23, 2014 at 6:27:31 PM, Nick Coghlan (ncoghlan at gmail.com) wrote:
a) For private indexes, being able to override upstream is a feature, not a bug
b) Categorically preventing spoofing is what end-to-end signing is for
I forgot to mention, that you basically need to trust the maintainers of the packages you choose to install anyways. Even if we don’t use multi index it’s trivial for a package to masquerade as another one. In metadata 2.0 even with package signing you end up where I can have you install “django-foobar” which depends on “FakeDjango”, which provides “Django”, and then for all intents and purposes you have a “Django” package installed.
The point being we can’t rely on the index ACLs to protect a user who has elected to install something that does something bad. The authors of a package that the user has opted to install *are not* in the threat model.
--
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20140723/4ec452ef/attachment.html>
More information about the Distutils-SIG
mailing list