Yuval Greenfield <ubershmekel <at> gmail.com> writes: > > Obviously this isn't the only problem if the account of an SQLAlchemy > maintainer is compromised - other threats can manifest as well.
So, why you think PyPI has to have protections against the hacking of maintainers' accounts is beyond me. That's a completely unreasonable expectation. Besides, being able to delete a release is mandatory (imagine you have uploaded confidential files by mistake). I don't even understand why people are having this discussion. PyPI is not a packaging *authority*. It's not Debian or Fedora or anything like that. It's just a place for people to publish files and metadata. You can't trust it any more than you can trust the uploaders themselves. Regards Antoine. _______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
