[openstack-dev] pip requirements externally host (evil evil stab stab stab)

Alex Gaynor alex.gaynor at gmail.com
Mon Jul 22 16:50:10 UTC 2013


As a heads up I filed bugs with each of these projects (with the exception
of netifaces, which doesn't appear to have a tracker). The dnspython
maintainer has already uploaded the package to PyPi and disabled scraping!

Alex


On Fri, Jul 19, 2013 at 8:04 PM, Monty Taylor <mordred at inaugust.com> wrote:

> Hey guys!
>
> PyPI is moving towards the world of getting people to stop hosting stuff
> via external links. It's been bad for us in the past and one of the
> reasons for the existence of our mirror. pip 1.4 has an option to
> disallow following external links, and in 1.5 it's going to be the
> default behavior.
>
> Looking forward, we have 5 pip packages that host their stuff
> externally. If we have any pull with their authors, we should get them
> to actually upload stuff to pypi. If we don't, we should strongly
> consider our use of these packages. As soon as pip 1.4 comes out, I
> would like to moving forward restrict the addition of NEW requirements
> that do not host on pypi. (all 5 of these host insecurely as well, fwiw)
>
> The culprits are:
>
> dnspython,lockfile,netifaces,psutil,pysendfile
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>



-- 
"I disapprove of what you say, but I will defend to the death your right to
say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
"The people's good is the highest law." -- Cicero
GPG Key fingerprint: 125F 5C67 DFE9 4084
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130722/99a3bd6b/attachment.html>


More information about the OpenStack-dev mailing list