[Distutils] Reviving PEP 470 - Removing External Hosting support on PyPI
Antoine Pitrou
solipsis at pitrou.net
Thu Aug 27 10:25:57 CEST 2015
On Wed, 26 Aug 2015 21:24:05 -0400
Donald Stufft <donald at stufft.io> wrote:
>
> At the time of this writing there are 65,232 projects hosted on PyPI and of
> those, 59 of them rely on external files that are safely hosted outside of PyPI
> and 931 of them rely on external files which are unsafely hosted outside of
> PyPI. This shows us that 1.5% of projects will be affected in some way by this
> change while 98.5% will continue to function as they always have. In addition,
> only 5% of the projects affected are using the features provided by PEP 438 to
> safely host outside of PyPI while 95% of them are exposing their users to
> Remote Code Execution via a Man In The Middle attack.
Out of curiosity, have you tried to determine if those Unsafely Off
PyPI projects were either still active or "popular" ?
The PEP looks fine anyway, good job :)
Regards
Antoine.
More information about the Distutils-SIG
mailing list