On 29/09/2014 10:50, Nick Coghlan wrote:
On 29 Sep 2014 19:04, "M.-A. Lemburg" <m...@egenix.com> wrote:
Do you seriously want to force package authors to cut a new release
just because a single uploaded distribution file is broken for
some reason and then ask all users who have already installed one
of the non-broken ones to upgrade again, even though they are not
affected ?
Yes, I do. Silently changing released artefacts is actively user hostile.
It breaks mirroring, it breaks redistribution, it breaks security audits,
and it can even break installation for security conscious users that are
using peep rather than pip.
.......
What would be the objection to removing or nulling a release package that had
actual malware embedded in it some how. It seems reasonable to have some last
resort take down mechanism.
--
Robin Becker
_______________________________________________
Distutils-SIG maillist - Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig
