On Fri, 21 Apr 2017, Jannis Gebauer wrote:
They could, of course, fix this very easily by running their own PyPi mirrors.
And now they have two problems. On the one hand, I agree that there is a potential from some abuse and vulnerabilities... but I think that I'd argue that if you're in a position where you're worried about that attack vector and you're using pypi.python.org then *you're doing it wrong!* On systems where I'm worried about pypi as an attack vector, I've downloaded the packages, built wheels, and stuck them in an S3 bucket, and I install with `--no-index --find-links=/path/to/my/wheelhouse`. I'm not sure if there are any improvements that you could make to the security of pip/pypi that are much better, but I'm not a security expert :) -Wayne _______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
