On July 23, 2014 at 6:27:31 PM, Nick Coghlan (ncogh...@gmail.com) wrote:
a) For private indexes, being able to override upstream is a feature, not a bug
b) Categorically preventing spoofing is what end-to-end signing is for
I forgot to mention, that you basically need to trust the maintainers of the
packages you choose to install anyways. Even if we don’t use multi index it’s
trivial for a package to masquerade as another one. In metadata 2.0 even with
package signing you end up where I can have you install “django-foobar” which
depends on “FakeDjango”, which provides “Django”, and then for all intents and
purposes you have a “Django” package installed.
The point being we can’t rely on the index ACLs to protect a user who has
elected to install something that does something bad. The authors of a package
that the user has opted to install *are not* in the threat model.
--
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
_______________________________________________
Distutils-SIG maillist - Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig
