On Fri, Jun 18, 2010 at 10:57 AM, Ian Bicking <span dir="ltr"><<a href="mailto:ianb@colorstudy.com" target="_blank">ianb@colorstudy.com</a>></span> wrote:<br><div class="gmail_quote"><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div>On Fri, Jun 18, 2010 at 4:10 AM, M.-A. Lemburg <span dir="ltr"><<a href="mailto:mal@egenix.com" target="_blank">mal@egenix.com</a>></span> wrote:<br></div><div class="gmail_quote"><div><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
> If you think the package owner is opening up a security threat by<br>
> including the links in the first place - yes, that's indeed a risk.<br>
<br>
Is this feature still needed for setuptools ?<br></blockquote></div><div><br>It's fairly regularly used to link to repositories, e.g., I might put this text in a description:<br><br> To install `the tip tarball <<a href="http://bitbucket.org/ianb/webob/get/tip.gz#egg=webob-dev" target="_blank">http://bitbucket.org/ianb/webob/get/tip.gz#egg=webob-dev</a>>`_ use ``pip install webob==dev``<br>
</div></div></blockquote></div><br>It should be noted, though, that these links must be self-describing, with #egg in this case, or with a URL that is more obviously self describing like <a href="http://example.com/nightlies/webob-nightly.tar.gz" target="_blank">http://example.com/nightlies/webob-nightly.tar.gz</a> -- the problems people are describing here are with fetching other pages and scanning them for links. If I remember correctly homepage and download_url are fetched and scanned for links, and those cause all the problems (especially homepage, as download_url tends to point to something simpler and more reliable).<br clear="all">
<br>A simple security hole would be having a homepage that is a wiki -- anyone could edit the wiki and put up a link to a trojan package and it could get found and installed.<br><br>-- <br>Ian Bicking | <a href="http://blog.ianbicking.org" target="_blank">http://blog.ianbicking.org</a><br>