[Catalog-sig] Extra links on the PyPI /simple index package pages

Ian Bicking ianb at colorstudy.com
Fri Jun 18 18:01:44 CEST 2010


On Fri, Jun 18, 2010 at 10:57 AM, Ian Bicking <ianb at colorstudy.com> wrote:

> On Fri, Jun 18, 2010 at 4:10 AM, M.-A. Lemburg <mal at egenix.com> wrote:
>
>> > If you think the package owner is opening up a security threat by
>> > including the links in the first place - yes, that's indeed a risk.
>>
>> Is this feature still needed for setuptools ?
>>
>
> It's fairly regularly used to link to repositories, e.g., I might put this
> text in a description:
>
>   To install `the tip tarball <
> http://bitbucket.org/ianb/webob/get/tip.gz#egg=webob-dev>`_ use ``pip
> install webob==dev``
>

It should be noted, though, that these links must be self-describing, with
#egg in this case, or with a URL that is more obviously self describing like
http://example.com/nightlies/webob-nightly.tar.gz -- the problems people are
describing here are with fetching other pages and scanning them for links.
If I remember correctly homepage and download_url are fetched and scanned
for links, and those cause all the problems (especially homepage, as
download_url tends to point to something simpler and more reliable).

A simple security hole would be having a homepage that is a wiki -- anyone
could edit the wiki and put up a link to a trojan package and it could get
found and installed.

-- 
Ian Bicking  |  http://blog.ianbicking.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20100618/6a1b2796/attachment.html>


More information about the Catalog-SIG mailing list