On Wed, 5 Jul 2023 at 17:12, Stephen J. Turnbull
<turnbull.stephen...@u.tsukuba.ac.jp> wrote:
>  > 4)  A self contained repository of packages that you could point
>  >     pip to -- it would contain only the packages that had met some
>  >     sort of "vetting" criteria. In theory, anyone could run it, but
>  >     a stamp of approval from the PSF would make it far more
>  >     acceptable to people. This would be a LOT of work to get set
>  >     up, and still a lot of work to maintain.
>
> Why "self-contained"?  I always enter PyPI through the top page.  I'd
> just substitute curated-pypi.org's top page.  Its search results would
> be restricted to (or prioritize) the curated set, but it would take
> me to the PyPI page of the recommended package.

Part of the desired protection is the prevention of typosquatting.
That means there has to be something that you can point pip to and say
"install this package", and it's unable to install any non-curated
package.

There are many protections against typosquatting (and malware
installation in general), but this particular one can be very
effective, albeit with some fairly significant costs.

ChrisA
_______________________________________________
Python-ideas mailing list -- python-ideas@python.org
To unsubscribe send an email to python-ideas-le...@python.org
https://mail.python.org/mailman3/lists/python-ideas.python.org/
Message archived at 
https://mail.python.org/archives/list/python-ideas@python.org/message/TUY6PLLPQOVDDKYV2CZE4QYAEKCZCURT/
Code of Conduct: http://python.org/psf/codeofconduct/

Reply via email to