2010/8/14 Alexis Métaireau <ametair...@gmail.com>: > Hi P.J, > > Le 08/13/2010 10:20 PM, P.J. Eby a écrit : >> Has anybody given any thought to actually managing the *uses* of >> Obsoletes-Release and Conflict-Release? >> >> In particular, I'm wondering what installation tools are expected to >> do with this information. Unless these fields are merely advisory in >> nature, I can foresee some user-hostile applications of the fields, >> e.g. by two forks of a package constantly marking each others' >> packages as obsoleted, conflicting, etc. > That's true, but if we choose to put our confiance in the packagers, > then we couldnt do anything to avoid them doing things like that. Others > packaging solutions have choosed to rely on trusted packagers only, and > have a specific processus to handle the packaging. > > I hope this not needed for python, if we were having such issues, we > could think of a solution at this time, I guess.
You mean a package audit done by a human before it's added at PyPI ? PyPI is not a distribution, its a repository of packages for the community, so that will never happen. If you want to give your trust to just one single party, you need to use a Python distribution where each package is carefully audited and added, as you said. Regards Tarek _______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
