[Catalog-sig] Proposal: close the PyPI file-replacement loophole
ubershmekel at gmail.com
Wed Feb 1 10:01:49 CET 2012
On Wed, Feb 1, 2012 at 10:36 AM, Chris Withers <chris at simplistix.co.uk>wrote:
> On 01/02/2012 07:12, Yuval Greenfield wrote:
>> +1 on removing this security loophole in any of the ways suggested here.
> Good grief, it's not a "security loophole".
> If you actually cared about security, you'd already be using, recording
> and checking the MD5 checksums provided with each download and would
> already know that this isn't a security loophole.
> If you're not, then quit with the security theater.
Would you testify that HTTP is secure because I can emulate TLS in
PyPI should do what it can within reason to be consistent and safe for all
its users. We're talking about a standard best practice for sites with user
generated content. The original API was aware of this best practice and a
loophole was eventually introduced. Please do read the OP.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Catalog-SIG