On Tuesday, January 31, 2012 at 7:46 PM, Terry Reedy wrote:
> 1. Record and check md5 hash on all downloads.
> 2. Redistribute files yourself (if license allows).
>
> Ignore in sense of not respond why not adequate alternative to your request.
>
> It is confusing.
> Please do not top post
>
> On 1/31/2012 7:41 PM, Donald Stufft wrote:
> > Which suggestions did I ignore?
> >
> > On Tuesday, January 31, 2012 at 7:40 PM, Terry Reedy wrote:
> > > It is hard to take your security concerns too seriously when you
> > > consistently ignore security suggestions. Prohibiting deletion or
> > > replacement by authors will give you no protection against the site
> > > being compromised by other means, whereas the suggestions you ignore
> > > would.
> > >
> >
> >
>
> --
> Terry Jan Reedy
>
> _______________________________________________
> Catalog-SIG mailing list
> Catalog-SIG@python.org (mailto:Catalog-SIG@python.org)
> http://mail.python.org/mailman/listinfo/catalog-sig
>
>
Email client defaults to top posting.
1. Pip doesn't support this that i'm aware of. I'm looking at the possibility
of adding that to pip but currently I believe it would require zc.buildout.
2. I already do this. This is currently the best option available to people but
it is a poor option. It essentially equates too "Well Yes PyPI is insecure by
design, if you want security don't use it."
I'm also not arguing for just myself. I use the term "me" and "my" but they are
placeholders for "anyone using this system". Unless you think that anyone
wanting to not be vulnerable to their app breaking without warning, and without
anything changing on their end (besides a new install) and wanting to not be
vulnerable to the security issues should just "not use PyPI" which is
completely unreasonable.
The *best* place to fix this is in PyPI. That way the fix to these
vulnerabilities will be applied for *everyone*. Yes I can work around it on a
personal level, but that doesn't help the community, it only helps myself.
_______________________________________________
Catalog-SIG mailing list
Catalog-SIG@python.org
http://mail.python.org/mailman/listinfo/catalog-sig
