[Catalog-sig] Extra links on the PyPI /simple index package pages
ianb at colorstudy.com
Fri Jun 18 18:01:44 CEST 2010
On Fri, Jun 18, 2010 at 10:57 AM, Ian Bicking <ianb at colorstudy.com> wrote:
> On Fri, Jun 18, 2010 at 4:10 AM, M.-A. Lemburg <mal at egenix.com> wrote:
>> > If you think the package owner is opening up a security threat by
>> > including the links in the first place - yes, that's indeed a risk.
>> Is this feature still needed for setuptools ?
> It's fairly regularly used to link to repositories, e.g., I might put this
> text in a description:
> To install `the tip tarball <
> http://bitbucket.org/ianb/webob/get/tip.gz#egg=webob-dev>`_ use ``pip
> install webob==dev``
It should be noted, though, that these links must be self-describing, with
#egg in this case, or with a URL that is more obviously self describing like
http://example.com/nightlies/webob-nightly.tar.gz -- the problems people are
describing here are with fetching other pages and scanning them for links.
If I remember correctly homepage and download_url are fetched and scanned
for links, and those cause all the problems (especially homepage, as
download_url tends to point to something simpler and more reliable).
A simple security hole would be having a homepage that is a wiki -- anyone
could edit the wiki and put up a link to a trojan package and it could get
found and installed.
Ian Bicking | http://blog.ianbicking.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Catalog-SIG