<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 2/14/13 11:49 PM, Donald Stufft
wrote:<br>
</div>
<blockquote cite="mid:6A088F76232F455FAB7CF90BAABDB143@gmail.com"
type="cite">
<div><span style="color: rgb(160, 160, 168); ">On Thursday,
February 14, 2013 at 5:43 PM, PJ Eby wrote:</span></div>
<blockquote type="cite"
style="border-left-style:solid;border-width:1px;margin-left:0px;padding-left:10px;">
<span>
<div>
<div>
<div>On Thu, Feb 14, 2013 at 5:10 PM, Nick Coghlan <<a
moz-do-not-send="true"
href="mailto:ncoghlan@gmail.com">ncoghlan@gmail.com</a>>
wrote:</div>
<blockquote type="cite">
<div>
<div>I'm more concerned about phishing style attacks.
I don't want the PyPI</div>
<div>admins to have to start scanning for hostile
names like "distirbute".</div>
</div>
</blockquote>
<div><br>
</div>
<div>I'm not sure what you mean. These things exist only
for the</div>
<div>corresponding package (buildout, setuptools, or
distribute), and</div>
<div>aren't downloaded from any other project. Generally,
they are</div>
<div>downloaded either by 1) a human, or 2) another tool
that wants to</div>
<div>support installation in the absence of a pre-existing
setuptools or</div>
<div>distribute installation (mainly zc.buildout AFAIK).</div>
<div><br>
</div>
<div>(Or are you saying that somebody might upload a
project called, say,</div>
<div>"distribute_", and try to trick people into
downloading it? I'm not</div>
<div>sure how that's a threat that can be defended against
in any event.)</div>
<div><br>
</div>
<blockquote type="cite">
<div>So how often do the bootstrap files change?</div>
</blockquote>
<div><br>
</div>
<div>Setuptools releases an updated version with each new
release, as it</div>
<div>contains an MD5 signature for downloading the new
release. I *think*</div>
<div>distribute does the same. Not so sure about buildout.</div>
<div>_______________________________________________</div>
<div>Catalog-SIG mailing list</div>
<div><a moz-do-not-send="true"
href="mailto:Catalog-SIG@python.org">Catalog-SIG@python.org</a></div>
<div><a moz-do-not-send="true"
href="http://mail.python.org/mailman/listinfo/catalog-sig">http://mail.python.org/mailman/listinfo/catalog-sig</a></div>
</div>
</div>
</span> </blockquote>
<div> Right but it's easy for me to validate an that the url
someone is </div>
<div>pointing me to belongs to setuptools on PyPI because PyPI
enforces</div>
<div>the name setuptools-VERSION.tar.gz. So given a link to a file
I know</div>
<div>what project on PyPI owns that file, and I can then go back
and look</div>
<div>at that project page to verify it's identity. If you have
arbitrary names</div>
<div>then that becomes much harder for me to do as a user.</div>
</blockquote>
<br>
not really because the URL gives you that information:<br>
<br>
For distribute, it will be located for example in :<br>
<br>
<a class="moz-txt-link-freetext" href="https://pypi.python.org/packages/source/d/distribute/XXXX">https://pypi.python.org/packages/source/d/distribute/XXXX</a><br>
<br>
<blockquote cite="mid:6A088F76232F455FAB7CF90BAABDB143@gmail.com"
type="cite">
<div><br>
</div>
<div>If the PR is written so that the filenames are still required
to start with</div>
<div>the project name I would personally feel a lot less likely
it's easily phishable.</div>
</blockquote>
<br>
I don't understand this. <br>
<br>
<pre class="moz-signature" cols="72">--
Tarek Ziadé · <a class="moz-txt-link-freetext" href="http://ziade.org">http://ziade.org</a> · @tarek_ziade </pre>
</body>
</html>