[Catalog-sig] [Proposal] Registered packages must provide the source code distribution on PyPI

"Martin v. Löwis" martin at v.loewis.de
Thu Jun 17 23:32:55 CEST 2010

Am 17.06.2010 15:16, schrieb M.-A. Lemburg:
> Benji York wrote:
>> On Thu, Jun 17, 2010 at 7:40 AM, M.-A. Lemburg<mal at egenix.com>  wrote:
>>> http://pypi.python.org/simple/zc.buildout/
>>> BTW: what are all those bug links doing on the zc.buildout index page ?
>> PyPI scrapes all the links from the long description; for many projects
>> that includes a change log with links to fixed bugs.
> Isn't that dangerous ?
> AFAIK, setuptools would start opening all those URLs and might
> find download files which are not necessarily under full control of
> the author, e.g. anyone could add a comment to a bug report or
> wiki page with a link to an egg file on some rogue server.

I think you misunderstand. Links originate *only* from the long 
description. The package owner has full control over that.

If you think the package owner is opening up a security threat by 
including the links in the first place - yes, that's indeed a risk.


More information about the Catalog-SIG mailing list