[Catalog-sig] Proposal: close the PyPI file-replacement loophole

Yuval Greenfield ubershmekel at gmail.com
Wed Feb 1 16:34:20 CET 2012

On Wed, Feb 1, 2012 at 5:18 PM, Antoine Pitrou <solipsis at pitrou.net> wrote:

> Donald Stufft <donald.stufft <at> gmail.com> writes:
> > I don't even understand why people are having this discussion. PyPI is
> not a
> > packaging *authority*. It's not Debian or Fedora or anything like that.
> It's
> > just a place for people to publish files and metadata. You can't trust
> it any
> > more than you can trust the uploaders themselves.
> >
> > Semantics arguments are boring and tired.
> Just because you don't understand them doesn't make them irrelevant.
> PyPI is *not* secure. Any maintainer can upload whatever (s)he wants. You
> are
> asking for a fix that won't do any good for the general problem.
> Regards
> Antoine.
With that attitude you must really hate bumping release versions.

Anyhow, it's a simple best practice that was the original design of the
system. As was mentioned, of course there are more vulnerabilities.
Improving the system one part at a time would still be a good idea.

This feature would be a big win in security and sanity for a very small
cost of convenience for very rare occasions and needs.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20120201/18f31a15/attachment.html>

More information about the Catalog-SIG mailing list