[Catalog-sig] [Proposal] Registered packages must provide the source code distribution on PyPI
"Martin v. Löwis"
martin at v.loewis.de
Thu Jun 17 23:32:55 CEST 2010
Am 17.06.2010 15:16, schrieb M.-A. Lemburg:
> Benji York wrote:
>> On Thu, Jun 17, 2010 at 7:40 AM, M.-A. Lemburg<mal at egenix.com> wrote:
>>> http://pypi.python.org/simple/zc.buildout/
>>>
>>> BTW: what are all those bug links doing on the zc.buildout index page ?
>>
>> PyPI scrapes all the links from the long description; for many projects
>> that includes a change log with links to fixed bugs.
>
> Isn't that dangerous ?
>
> AFAIK, setuptools would start opening all those URLs and might
> find download files which are not necessarily under full control of
> the author, e.g. anyone could add a comment to a bug report or
> wiki page with a link to an egg file on some rogue server.
I think you misunderstand. Links originate *only* from the long
description. The package owner has full control over that.
If you think the package owner is opening up a security threat by
including the links in the first place - yes, that's indeed a risk.
Regards,
Martin
More information about the Catalog-SIG
mailing list