On Tue, Jun 15, 2021 at 12:50:03PM +0200, Petr Viktorin wrote:
On 15. 06. 21 2:11, Neal Gompa wrote:
It's not terribly different from how organizations may have private
Python package indexes that may use whatever names they want for
Python software they build and release.
I agree, in fact, I think Fedora's problems here are a subset of the
problems the private organizations have: if issues of proprietary
corps are solved, we can use the solution as well. (However, it'll
need more work than is necessary for Fedora/FOSS needs, so I don't
want to drive the effort.)
BUT, if the issues are solved, it'll likely be through namespacing:
we'd need to prefix our names with `fedora-` or `fedora:`. I still
think it is better for Fedora to reuse the public PyPI namespace
rather than start its own.
Registering on PyPI for private packages can be useful to avoid
dependency confusion attacks[1]. Essentially we're talking about the
same problem here.
[1]: https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
