[Catalog-sig] Proposal: close the PyPI file-replacement loophole

Donald Stufft donald.stufft at gmail.com
Wed Feb 1 15:54:29 CET 2012 


On Wednesday, February 1, 2012 at 9:29 AM, Antoine Pitrou wrote:

> Yuval Greenfield <ubershmekel <at> gmail.com (http://gmail.com)> writes:
> > 
> > Obviously this isn't the only problem if the account of an SQLAlchemy
> > maintainer is compromised - other threats can manifest as well.
> > 
> 
> 
> So, why you think PyPI has to have protections against the hacking of
> maintainers' accounts is beyond me. That's a completely unreasonable
> expectation.
> 
> 

That's only one relatively unlikely scenario where this would be useful and a good change, there are other more likely scenarios where this would also be a good change.
> 
> Besides, being able to delete a release is mandatory (imagine you have uploaded
> confidential files by mistake).
> 
> 

Nothing in this proposal removes the ability to delete files. You just won't be able to re upload a file of the same name (basically version). So if you accidentally include confidential files in version 2.3, you can delete version 2.3, but you'll have to release the fixed version as 2.3.1. 
> 
> I don't even understand why people are having this discussion. PyPI is not a
> packaging *authority*. It's not Debian or Fedora or anything like that. It's
> just a place for people to publish files and metadata. You can't trust it any
> more than you can trust the uploaders themselves.
> 
> 

Semantics arguments are boring and tired. People depend on PyPI and the packages installed there. They depend on the ability to pin to a specific tested release of libraries and they should be able to depend on the fact that if they ask for version 1.1 of library XYZ they will always get the exact same package.

What if python.org decided to replace the download links for Python 2.7.2 with a new version of Python 2.7.2 with new bugs fixed, or maybe a typo? What if those "harmless" fixes broke my software because I was depending on that behavior and now my software just stops working. For no reason what so ever. What's worse is it still works on some computers (where I have the _original_ version installed) but on other computers it just doesn't work.
> 
> Regards
> 
> Antoine.
> 
> 
> _______________________________________________
> Catalog-SIG mailing list
> Catalog-SIG at python.org (mailto:Catalog-SIG at python.org)
> http://mail.python.org/mailman/listinfo/catalog-sig
> 
> 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20120201/23f685c1/attachment.html>

More information about the Catalog-SIG mailing list