On Wednesday, February 27, 2013 at 10:39 AM, M.-A. Lemburg wrote:
> -1.
> There are many reasons for not hosting packages and distributions
> on PyPI itself.
> If you use and trust a package, you also have to know and trust its
> dependencies, no matter where they are hosted, so you're not gaining
> any security by disabling links to other download locations: if
> you don't trust the way a package is hosted, you don't use it; if
> you do, then removing the link breaks the package and all its
> dependencies.

You also have to know and trust the hosting locations for all of them, and
if they are not available via SSL you have to know and trust that there is
not a MITM available. 
> Instead of suggesting to removing support for externally hosted packages,
> why not propose a mechanism to provide a more direct/secure way to
> reference them ?

I did mention a method for doing that in my email. However there are reasons
beyond the security ones to require packages being hosted on PyPI. Namely
uptime, privacy, and performance.
Catalog-SIG mailing list

Reply via email to