On Tue, Mar 12, 2013 at 2:21 PM, PJ Eby <p...@telecommunity.com> wrote: > The *only* thing I object to is the part where some people want to ban > external links from /simple, always and forever, regardless of the > package authors' choice in the matter.
Here's the thing though, there are already a bunch of other ways users can install packages from external repositories. I can think of at least two: * I can pip/easy_install a given URL (e.g. easy_install https://www.djangoproject.com/download/1.5/tarball/) * I can use a custom index server (pip install -i http://localserver/ django) The important part is that in each of those cases I can see clearly where I'm getting things from. OTOH, if I do "pip install Django" I — the person making the install — have no control over where that package comes from. It really violates people's expectations that this reaches out to somewhere that's not-pypi. More importantly it prevents me from making a security choice -- I literally don't know until the download starts where the file might be coming from. >From where I stand the absolutely non-negotiable part is that `pip/easy_install/whatever package` should NEVER access an external host (after some suitable transition period). This needs to include older installer software, and it needs to make it hard for new tools to do the wrong thing. How this is achieved really doesn't matter to me -- if there's a "pip install --insecure Django" that's fine too -- but to me it's non-negotiable that the out-of-the-box configuration not allow external hosts. Yes, this means taking some options away from the package creator. It means that when I'm wearing my author-of-Django hat I can't choose to list Django on PyPI but provide the download elsewhere. That's not perfect, but given a "creator choice" vs "out of the box security" choice the latter has to win. [And as a package creator I still have options: I can run my own package server, fairly easy to do these days.] Again, the *how* isn't a big deal to me, but the result is really important: the tooling has to be secure-by-default, and that means (among other things) `pip install package` can never hit something that's not PyPI without me explicitly asking for it. Jacob _______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
