On Mon, Jan 30, 2012 at 10:07 PM, M.-A. Lemburg <[email protected]> wrote:
> A little off-topic, but I always find it strange that some users of PyPI > appear to trust package authors with the software they put up on PyPI, > but don't trust them when it comes to the release process. > Very strange indeed... > > I don't trust "package authors". I do trust specific versions of specific packages that I've tested. If I can't trust PyPI to always give me the exact same result for a specific package-version then I can't use it. IOW if a hacked maintainer account can modify existing releases - PyPI is a very real attack vector into many existing systems. Nothing strange at all, Yuval
_______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
