On Tue, Feb 5, 2013 at 10:57 AM, Giovanni Bajo <ra...@develer.com> wrote: > One meta-question: does this mailing-list have any "authority" over pip?
Nope. And none over Distribute/Setuptools either. > Are there any pip maintainers here? Yes, at least one. But the more the merrier as they may have useful insights and should be a part of the discussion. We do also have at least one Distribute maintainer on the list. For Setuptools it would be best if Distribute and Setuptools could be merged. But the question of authority isn't important, as I'm 100% sure the pip maintainers are just as interested in fixing the security issues as everybody else is, and since they are reasonable people, as it the Distribute maintainers, I don't see a problem. I, as mentioned before, think we should start with low-hanging fruits: 1. Packages should only be installed from the given package indexes. No scraping of websites as at least easy_install/buildout does, no downloading from external download links. A deprecation period for this of a couple of months, to give package authors the chance to upload their packages is probably necessary. 2. SSL. I guess we can start allowing external download links when we get a proper package signature process going, but personally I don't see the need. Even if it is secure, it is still brittle as the more servers you have to serve packages, the more single point of failures you have. I really think Python packages should be on PyPI. //Lennart _______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
