[Catalog-sig] Extra links on the PyPI /simple index package pages

M.-A. Lemburg mal at egenix.com
Fri Jun 18 11:10:43 CEST 2010

"Martin v. Löwis" wrote:
> Am 17.06.2010 15:16, schrieb M.-A. Lemburg:
>> Benji York wrote:
>>> On Thu, Jun 17, 2010 at 7:40 AM, M.-A. Lemburg<mal at egenix.com>  wrote:
>>>> http://pypi.python.org/simple/zc.buildout/
>>>> BTW: what are all those bug links doing on the zc.buildout index page ?
>>> PyPI scrapes all the links from the long description; for many projects
>>> that includes a change log with links to fixed bugs.
>> Isn't that dangerous ?
>> AFAIK, setuptools would start opening all those URLs and might
>> find download files which are not necessarily under full control of
>> the author, e.g. anyone could add a comment to a bug report or
>> wiki page with a link to an egg file on some rogue server.
> I think you misunderstand. Links originate *only* from the long
> description. The package owner has full control over that.

I was referring to the linked assets that the package owner
may not have full control over, e.g. in the above case,
you have links pointing to launchpad and one to "file://".

Such links (except the file:// one) can be useful in the
package description, e.g. to point to a bug tracking
system, documentation or other resources, but they are
not really needed to point setuptools to download locations.

> If you think the package owner is opening up a security threat by
> including the links in the first place - yes, that's indeed a risk.

Is this feature still needed for setuptools ?

We have download URLs and homepage URLs which should be enough for
setuptools to search and find the links to package download files.

If it's no longer needed, then it'd be safer not to include
the long description links on the /simple index pages anymore.

Marc-Andre Lemburg

Professional Python Services directly from the Source  (#1, Jun 18 2010)
>>> Python/Zope Consulting and Support ...        http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ...             http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
2010-07-19: EuroPython 2010, Birmingham, UK                30 days to go

::: Try our new mxODBC.Connect Python Database Interface for free ! ::::

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611

More information about the Catalog-SIG mailing list