publish to PyPI?

[njzjz]

Hi, I am wondering if you could publish openmpi and mpich to PyPI.

Since PyPI doesn't contain these two packages, it has the risk of being attacked. See:

• https://pytorch.org/blog/compromised-nightly-dependency/
• https://github.com/pypa/pip/issues/8606

[dalcinl]

I could, but there are a few matters to address first.

To begin with, I'm hesitant to take full responsibility of the public PyPI package. One thing is to be the owner of a private repository where you set the all rules under your own responsibility and commitment. A different thing is to deal with public infrastructure as PyPI.

The way my mpich and openmpi packaged are crafted is according to my very particular way of how to do things, and others may not necessarily agree. I'm not a member of either the MPICH or Open MPI development team. Therefore, I don't think it is up to me to set the rules and shove it into everyone's throat.

To the specifics of risk management for the MPICH and Open MPI packages:

• Theopenmpi https://pypi.org/p/openmpi package is already registered on PyPI, precisely to prevent dependency confusion attacks. Therefore IMHO there are no risks related to Open MPI, unless the owner of the package (research@cycode.com) is not trustworthy.
• The mpich package is not registered on PyPI yet. Indeed, it may become an attack vector anytime. If you are a user of the MPICH packages being built here and you care about your own security, then maybe you should contact research@cycode.com and ask them to also register MPICH, at least for the time being.