Log file Viewer

[09:39:08] <techtonik> dstufft: what is the plan for virtualenv 12? https://github.com/pypa/virtualenv/milestones

[09:40:18] <techtonik> 0.11.6 still doesn't work on windows in some cases

[16:43:41] <tomprince> dstufft: I was just reading the thread on PEP470 and security. I think I understand holger's concern.

[16:45:10] <tomprince> If I am working on some propiertary app mycompany_cool_stuff, and I package it up and put it on a private index.

[16:46:58] <tomprince> If I then point --extra-index-url at that index, anybody can attack my installations, by registering that package on pypi, and putting up a version 99!9999 or something.

[16:47:24] <tomprince> Or perhaps, more likely, I just named my package cool_stuff (so more chance of a collision).

[16:47:51] <dstufft> tomprince: I understand the concern, I just don't think it has anything to do with PEP 470 because I'm not telling people to go use --extra-index-url on their private package repos

[16:47:58] <tomprince> Now, while having thought about how things interact for all of a couple of seconds, that behavior is obvious.

[16:48:44] <tomprince> But that isn't an attack vector that I hadn't considered.

[16:49:31] <tomprince> But you are encouraging people to use --extra-index-url, and making it more well publicized.

[16:49:56] <tomprince> Perhaps it is an issue that is better dealt with in pup, I guess.