[Catalog-sig] Proposal: close the PyPI file-replacement loophole

Donald Stufft donald.stufft at gmail.com
Wed Feb 1 01:58:14 CET 2012


On Tuesday, January 31, 2012 at 7:46 PM, Terry Reedy wrote:
> 1. Record and check md5 hash on all downloads.
> 2. Redistribute files yourself (if license allows).
> 
> Ignore in sense of not respond why not adequate alternative to your request.
> 
> It is confusing.
> Please do not top post
> 
> On 1/31/2012 7:41 PM, Donald Stufft wrote:
> > Which suggestions did I ignore?
> > 
> > On Tuesday, January 31, 2012 at 7:40 PM, Terry Reedy wrote:
> > > It is hard to take your security concerns too seriously when you
> > > consistently ignore security suggestions. Prohibiting deletion or
> > > replacement by authors will give you no protection against the site
> > > being compromised by other means, whereas the suggestions you ignore
> > > would.
> > > 
> > 
> > 
> 
> -- 
> Terry Jan Reedy
> 
> _______________________________________________
> Catalog-SIG mailing list
> Catalog-SIG at python.org (mailto:Catalog-SIG at python.org)
> http://mail.python.org/mailman/listinfo/catalog-sig
> 
> 

Email client defaults to top posting. 

1. Pip doesn't support this that i'm aware of. I'm looking at the possibility of adding that to pip but currently I believe it would require zc.buildout.
2. I already do this. This is currently the best option available to people but it is a poor option. It essentially equates too "Well Yes PyPI is insecure by design, if you want security don't use it."

I'm also not arguing for just myself. I use the term "me" and "my" but they are placeholders for "anyone using this system". Unless you think that anyone wanting to not be vulnerable to their app breaking without warning, and without anything changing on their end (besides a new install) and wanting to not be vulnerable to the security issues should just "not use PyPI" which is completely unreasonable.

The *best* place to fix this is in PyPI. That way the fix to these vulnerabilities will be applied for *everyone*. Yes I can work around it on a personal level, but that doesn't help the community, it only helps myself.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20120131/5aadc42d/attachment.html>


More information about the Catalog-SIG mailing list