[Catalog-sig] Proposal: close the PyPI file-replacement loophole

Donald Stufft donald.stufft at gmail.com
Wed Feb 1 10:23:11 CET 2012

It absolutely is.

And I'm already working on a solution that solves the checksum problem for myself. That's all well and good, I won't be affected. But a huge part of the population will still be vulnerable to issues such as previously known code breaking for unknown reasons (which is difficult and infuriating to debug), silent errors that don't actually error things out, but just cause corrupt data (which is worse than it just flat out breaking), or at the far end of the spectrum _can_ be an outright security vulnerability. Pretending like that is outside of the realm of possibilities is irresponsible and wrong.

I prefer to try and protect everyone where we can, especially when the tradeoff is something as relatively minor as needing to create a new version in the rare (or should be rare, if it's not something is very wrong with your release process) that your packaging was bad.(If the problem is with the software itself then it's even more wrong to rerelease it under the same version). So far every solution amounts to either "well then don't use PyPI", or "don't use any of the python packaging tools except for zc.buildout* so that in the rare case that I make a mistake I can be lazy.

* To my knowledge zc.buildout is the only one that supports it. 

On Wednesday, February 1, 2012 at 3:36 AM, Chris Withers wrote:

> On 01/02/2012 07:12, Yuval Greenfield wrote:
> > +1 on removing this security loophole in any of the ways suggested here.
> Good grief, it's not a "security loophole".
> If you actually cared about security, you'd already be using, recording 
> and checking the MD5 checksums provided with each download and would 
> already know that this isn't a security loophole.
> If you're not, then quit with the security theater.
> cheers,
> Chris
> -- 
> Simplistix - Content Management, Batch Processing & Python Consulting
> - http://www.simplistix.co.uk
> _______________________________________________
> Catalog-SIG mailing list
> Catalog-SIG at python.org (mailto:Catalog-SIG at python.org)
> http://mail.python.org/mailman/listinfo/catalog-sig

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20120201/8c07b8d5/attachment.html>

More information about the Catalog-SIG mailing list