On 2017-02-17 09:56:04 +0100 (+0100), Nick Coghlan wrote: [...] > So if we rely on a manual "publish with pinned dependencies", "get bug > report from redistributor or app developer", "republish with unpinned > dependencies", we'll be in a situation where: > > - the affected app developer or redistributor is going to have a negative > experience with the project > - the responsible publisher is either going to have a negative interaction > with an end user or redistributor, or else they'll just silently move on to > find an alternative library > - we relinquish any control of the tone used when the publisher is alerted > to the problem > > By contrast, if we design the metadata format such that *PyPI* can provide > a suitable error message, then: > > - publishers get alerted to the problem *prior* to publication > - end users and redistributors are unlikely to encounter the problem > directly > - we retain full control over the tone of the error notification [...]
It seems like the same could be said of many common mistakes which can be identified with some degree of certainty through analysis of the contents being uploaded. Why not also scan for likely security vulnerabilities with a static analyzer and refuse offending uploads unless the uploader toggles the magic "yes I really mean it" switch? Surely security issues are even greater downstream risks than simple dependency problems. (NB: I'm not in favor of that either, just nudging an example in the reductio ad absurdum direction.) -- Jeremy Stanley _______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
