[Catalog-sig] [PSF-Board] Troubled by changes to PyPI usage agreement

Tarek Ziadé ziade.tarek at gmail.com
Thu Jan 21 00:05:40 CET 2010

2010/1/20 "Martin v. Löwis" <martin at v.loewis.de>:
>> Of course, there's also a human dimension : we suppose that the people
>> running the mirror are people we can trust because they can
>> technically do malicious things in the mirror since we don't really
>> have any real protection (*yet*).
> That's not true: users of mirrors can verify that the mirrors are
> authentic. Neither can malicious operators modify the contents of
> their mirrors without clients noticing, nor can careless mirror
> operators threaten the integrity of a mirror even assuming somebody
> breaks into the mirror.

But users can't verify that the archive they download using tools like
easy_install are the real ones.

If I am a bad guy and I run a mirror, I can change a setup.py file in
an archive and
make it do malicious things on the computer, and let easy_install
execute it for me.
The only verification done is the md5 hash on the file, which can be
changed on the mirror (nothing prevents the mirror to compute its own
MD5 fragments in the download URLs)


Tarek Ziadé | http://ziade.org

More information about the Catalog-SIG mailing list