Re: [Distutils] The sad and insecure state of commercial private package indexes

2017-04-24 Thread Robert Collins
On 24 April 2017 at 17:10, Nick Coghlan wrote: > On 22 April 2017 at 21:05, Donald Stufft wrote: >> I think the biggest barrier to doing it in pip is simply the UX of it. We’re >> currently constrained by the fact that *all* of our options are available as

Re: [Distutils] The sad and insecure state of commercial private package indexes

2017-04-23 Thread Nick Coghlan
On 22 April 2017 at 21:05, Donald Stufft wrote: > I think the biggest barrier to doing it in pip is simply the UX of it. We’re > currently constrained by the fact that *all* of our options are available as > CLI flags, environment variables, and of course, a config file. This

Re: [Distutils] The sad and insecure state of commercial private package indexes

2017-04-22 Thread Donald Stufft
> On Apr 22, 2017, at 3:13 AM, Nick Coghlan wrote: > > Nobody has been motivated to implement that capability for the > Python-specific tooling so far, as it competes against two > alternatives that will often make more architectural sense: > > - automated build pipelines

Re: [Distutils] The sad and insecure state of commercial private package indexes

2017-04-22 Thread Nick Coghlan
On 22 April 2017 at 06:25, Wayne Werner wrote: > On Fri, 21 Apr 2017, Jannis Gebauer wrote: > >> They could, of course, fix this very easily by running their own PyPi >> mirrors. > > > And now they have two problems. > > > On the one hand, I agree that there is a potential

Re: [Distutils] The sad and insecure state of commercial private package indexes

2017-04-21 Thread Wayne Werner
On Fri, 21 Apr 2017, Jannis Gebauer wrote: They could, of course, fix this very easily by running their own PyPi mirrors. And now they have two problems. On the one hand, I agree that there is a potential from some abuse and vulnerabilities... but I think that I'd argue that if you're in a

[Distutils] The sad and insecure state of commercial private package indexes

2017-04-21 Thread Jannis Gebauer
I did some research on commercial private package indexes, namely Gemfury and packagecloud. Both of them recommend to use `--extra-index-url` as a parameter to point to their own index servers hosting the private package. This is blatantly insecure. Using `--extra-index-url` tells pip to use