On 13 October 2014 13:08, holger krekel <[email protected]> wrote: > On Mon, Oct 13, 2014 at 12:00 +0100, Paul Moore wrote: >> On 13 October 2014 11:40, holger krekel <[email protected]> wrote: >> > and I just noted that the very Python guide on packaging is advertising >> > using plain --extra-index-url for private packages as well: >> > >> > http://docs.python-guide.org/en/latest/shipping/packaging/#personal-pypi >> >> I can see your point here (I'm not sure I agree with it, but that's a >> separate issue). > > Sorry but what is there to agree or discuss? If recommending > --extra-index-url for private packages does not come with a big fat > warning that you need to publically register the name with PyPI, > it exposes users to direct compromise of their machine, plain and simple.
I would view it as a matter of the trust model. If you don't trust PyPI, then you should not download direct from there. That applies whether or not you have a private index as well. if you do trust PyPI, then you presumably understand the risks. I'd be happy enough to see a note that whenever you use pip without specifying --no-index you trust PyPI. I don't mind if there's a further note that if you serve packages from your local index they will be considered as equal candidates with packages of the same name on PyPI *regardless of who uploaded them to PyPI*. But I don't accept that there's a need to over-stress the risk. After all, if I mistype an install command as "pip install devpy", I'm just as exposed to compromise of my machine. Paul. _______________________________________________ Distutils-SIG maillist - [email protected] https://mail.python.org/mailman/listinfo/distutils-sig
