[Distutils] Need for respect (was: PEP 438, pip and --allow-external)
Stefan Krah
stefan-usenet at bytereef.org
Tue May 13 13:58:29 CEST 2014
Paul Moore <p.f.moore at gmail.com> wrote:
> > Not quite the sequence of events. -- I left the existing explicit link
> > for some time after the first posts to python-dev. Then serious security
> > issues were marginalized ("not a meaningful scenario"). I find this a
> > little surprising, since PEP 458 is precisely there to address them.
> >
> > The user base that cdecimal targets (banks, stock exchanges, scientists)
> > are able to verify checksums -- in fact in some places it might be a
> > firing offense not to do so.
>
> Personally, I don't recall ever seeing anything about a serious
> security issue.
Well, basically a couple of things that PEP 458 tries to address. Currently
manual verification of release time checksums is a good bet.
Anyway, people who *can* verify checksums can also use pip with judgement,
so I've re-enabled the explicit link.
I would be a bit more comfortable with sha256 instead of md5, but I may have
missed an option.
Stefan Krah
More information about the Distutils-SIG
mailing list