On Sun, Jan 29, 2012 at 6:47 PM, Richard Jones <r1chardj0...@gmail.com> wrote: > Hi catalog-sig, > > When we initially implemented file upload to PyPI it was our intention > that the file be immutable once uploaded. The goal was to make things > significantly simpler for end users - there would only ever be one > file with a given name. If the content changed then so must the name > (typically by creating a new release version.) > > After the upload facility was put in place we also added the ability > to delete files uploaded to pypi. This created a loophole: if a > package owner knew how to they could delete the file and re-upload, > thus circumventing the replacement protection. > > I'm considering closing this loophole by retaining a record of the > uploaded file (though not the contents) so that future uploads with > the same name wouldn't be allowed. I understand that this is how the > ruby gem archive handles deletion of files.
+1 Jim -- Jim Fulton http://www.linkedin.com/in/jimfulton _______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
