On Tue, Feb 5, 2013 at 2:18 PM, Donald Stufft <[email protected]> wrote: > A longer depreciation wouldn't be a bad thing merely because a lot > of people depend on this feature without even realizing it. Crate has > an index you can use that removes all external urls to test your own > projects on. --index-url=https://restricted.crate.io/ (through pip). > > Or rather a short depreciation in the tools where they'll crawl external > links by default, and a long depreciation where they'll do it with an > --enable-unsafe-externals or something. > > I certainly agree, though, that the current client-side crawling is a > nuisance and makes for unreliability of installation procedures. I think we > should move the crawling to the server side and cache packages.
Whatever we do to fix the PyPI security it *will* break all the packages that now exist on third-party servers. As long as unsigned packages from third-party servers are allowed, we have a big honking security hole. I'm now almost sorry I suggested a deprecation period, as this gives the wrong impression. So forget about it. I'm now suggesting a different deprecation: For a couple of versions of Distribute and pip, we continue to crawl, but do not install the packages. Instead we exist with "Package found at <url>, but packages from third-party servers are not installed by easy_install because they pose a security issue." //Lennart _______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
