Il giorno 23/feb/2013, alle ore 00:44, Donald Stufft <donald.stu...@gmail.com> ha scritto:
> On Friday, February 22, 2013 at 6:37 PM, Justin Cappos wrote: >> 1c) hide/show a package version >> >> I need to look into this more. There are several ways this can be set up >> and I need to understand more to know how to respond. Offhand, I would say >> that having the developer sign and upload metadata indicating hidden vs. >> visible is the most secure. From a usability perspective, PyPI could sign >> something stating this instead, but this requires trusting PyPI more than >> may be wise. Were it my system, I'd prefer the former (and can talk more >> about risks with the latter), but either choice seems reasonable. > Hiding/showing a package on PyPI is only in the webui. It doesn't actually > effect what the installation tools can find. Uh-uh, never known this until today. Then this is, by itself, a possible security hole. I would like to see this fixed somehow (either removing the feature, and making sure installation tools match the web ui experience). -- Giovanni Bajo :: ra...@develer.com Develer S.r.l. :: http://www.develer.com My Blog: http://giovanni.bajo.it
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
