Il giorno 05/feb/2013, alle ore 02:36, Nick Coghlan <ncogh...@gmail.com> ha scritto:
> Something that caught my attention in the recent security discussions > is the observation that one of the most common insecure practices in > the Python community is to run "sudo pip" with unsigned packages > (sometimes on untrusted networks). > > To my mind, this is a natural reaction to the user experience of pip: > you run "pip install package", it complains it can't write to the > system site packages directory, so you run "sudo pip install package" > to give it the permissions it clearly wants. > > If pip used the user site packages by default (when running as anyone > other than root), that dangerous UI flow wouldn't happen. Even when > pip was run outside a virtualenv, it would "just work" from the users > perspective. It also has the advantage of keeping systems cleaner by > default, since there will be a clear separation between system > packages and pip-installed packages. > > Thoughts? > > Regards, > Nick. One meta-question: does this mailing-list have any "authority" over pip? Are there any pip maintainers here? Because I see that pip development being done on different channels, so I was wondering what is the workflow to discuss such modifications. -- Giovanni Bajo :: ra...@develer.com Develer S.r.l. :: http://www.develer.com My Blog: http://giovanni.bajo.it
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
