[Python-Dev] Keyword meanings [was: Accept just PEP-0426] (original) (raw)
Barry Warsaw barry at python.org
Thu Dec 6 00🔞12 CET 2012
- Previous message: [Python-Dev] Keyword meanings [was: Accept just PEP-0426]
- Next message: [Python-Dev] Keyword meanings [was: Accept just PEP-0426]
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Dec 05, 2012, at 06:07 PM, Donald Stufft wrote:
If you're installing B you've prescribed trust to that author. If you don't trust the author then why are you installing (and then executing) code they wrote.
What you installed Z, but B got installed because it was a dependency three levels down?
Very convenient to declare that one of the major use cases for Obsoletes over Obsoleted-By is not valid because of your own personal opinions. Like I said above, if you're installing a package that someone has uploaded you've implicitly granted them trust. There is far worse things that a bad Python citizen can do during, and after and install that what is allowed by Obsoletes.
Well, basically never installing anything from PyPI except into a virtualenv is probably a good recommendation (maybe even now).
End systems often times do not have a singular organization controlling every package in their system. The best example is Ubuntu and their PPA's.
Well, PPAs are awesome, but have known and well-publicized trust issues. I wouldn't enable a PPA into my running system without really knowing who the owner is and why I'm using their PPA. Or doing a lot of testing in a chroot first, and probably pinning the package set to just the one(s) from the PPA I care about.
Cheers, -Barry
- Previous message: [Python-Dev] Keyword meanings [was: Accept just PEP-0426]
- Next message: [Python-Dev] Keyword meanings [was: Accept just PEP-0426]
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]