[Catalog-sig] Proposal: close the PyPI file-replacement loophole

Yuval Greenfield ubershmekel at gmail.com
Wed Feb 1 10:01:49 CET 2012

On Wed, Feb 1, 2012 at 10:36 AM, Chris Withers <chris at simplistix.co.uk>wrote:

> On 01/02/2012 07:12, Yuval Greenfield wrote:
>> +1 on removing this security loophole in any of the ways suggested here.
> Good grief, it's not a "security loophole".
> If you actually cared about security, you'd already be using, recording
> and checking the MD5 checksums provided with each download and would
> already know that this isn't a security loophole.
> If you're not, then quit with the security theater.
> cheers,
Would you testify that HTTP is secure because I can emulate TLS in

PyPI should do what it can within reason to be consistent and safe for all
its users. We're talking about a standard best practice for sites with user
generated content. The original API was aware of this best practice and a
loophole was eventually introduced. Please do read the OP.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20120201/edc251b7/attachment.html>

More information about the Catalog-SIG mailing list