[Catalog-sig] start on static generation, and caching - apache config.

Stuart Bishop stuart at stuartbishop.net
Wed Jul 18 11:58:11 CEST 2007

Martin v. Löwis wrote:
>> The questions for us is, how much effort we are willing to make to
>> prevent people from shooting themselves in the foot.  I can understand
>> why Phillip would like the package index to prevent people from choosing
>> problematic package names.
> That's not my understanding - the issue isn't with "problematic package
> names", but with conflicting package names. IOW, any single name is
> fine - it's a pair of names that would cause a problem (and only if
> you wanted to install both packages on the same system).

By not blocking registration of packages with similar names, we are creating
a security problem. If there is a popular package 'CoolStuff', I just have
to upload a trojan 'coolstuff' and suddenly people will end up using my
trojan which they thought was coming from a trusted source. I think this
attack vector is possible right now and only a BUGTRAQ post away from being
common knowledge.

I think blocking this is the responsibility of the package index, as it is
the first point that it is possible to do so.

I think a reasonable restriction would be printable ASCII only names and not
allowing registration of a package with a name differing only in case,
whitespace or punctuation.

There are additional side benefits that fall out of this (being able
optimize searches by doing exact matches rather than fuzzy, or avoiding
whole classes of case-sensitivity or Unicode bugs in other applications
integrating with the registry, or reducing confusion to end users, or
reducing the likely hood of less user-hostile systems being developed and
making the official registry irrelevant - heck, I work on a closed source
system that would happily take the business).

Stuart Bishop <stuart at stuartbishop.net>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
Url : http://mail.python.org/pipermail/catalog-sig/attachments/20070718/e971e102/attachment.pgp 

More information about the Catalog-SIG mailing list