Open njzjz opened 4 months ago
I could, but there are a few matters to address first.
To begin with, I'm hesitant to take full responsibility of the public PyPI package. One thing is to be the owner of a private repository where you set the all rules under your own responsibility and commitment. A different thing is to deal with public infrastructure as PyPI.
The way my mpich
and openmpi
packaged are crafted is according to my very particular way of how to do things, and others may not necessarily agree. I'm not a member of either the MPICH or Open MPI development team. Therefore, I don't think it is up to me to set the rules and shove it into everyone's throat.
To the specifics of risk management for the MPICH and Open MPI packages:
openmpi
https://pypi.org/p/openmpi package is already registered on PyPI, precisely to prevent dependency confusion attacks. Therefore IMHO there are no risks related to Open MPI, unless the owner of the package (research@cycode.com) is not trustworthy.mpich
package is not registered on PyPI yet. Indeed, it may become an attack vector anytime. If you are a user of the MPICH packages being built here and you care about your own security, then maybe you should contact research@cycode.com and ask them to also register MPICH, at least for the time being.
Hi, I am wondering if you could publish
openmpi
andmpich
to PyPI.Since PyPI doesn't contain these two packages, it has the risk of being attacked. See: