[Catalog-sig] Proposal: close the PyPI file-replacement loophole

Michael Foord fuzzyman at gmail.com
Thu Feb 2 14:01:01 CET 2012

On 2 February 2012 01:36, Richard Jones <richard at python.org> wrote:

> Summarising the responses:
> 8 at +1
> 3 at -1
> Several posts with no stated positions.

Several posts with no explicit -1, but I see objections/misgivings from the

Martin Loewis
Phillip Eby
Antoine Pitrou
Robert Collins
MA Lemburg

Plus Chris Withers sceptical of the "security" advantages, although not
explicitly objecting.

Note that even if this hole is plugged it still offers no security
advantage to users of tools like pip/easy_install - all a package
maintainer has to do is switch to hosting the download themselves and the
tools will still merrily install the specified version from wherever it is
hosted (using the download link from pypi). So the *only* security fix is
to specify a secure hash to the install tool, not screw over package
maintainers with more restrictions on pypi.

Given the issues with md5, adding SHA (or similar) hashes to pypi would be
a much better use of time (IMO).

All the best,

Michael Foord

> Given it appears to be controversial, I'm just going to drop it. I
> just don't need the aggravation. PyPI can retain its ability to serve
> up potentially confusing file content.
>    Richard
> _______________________________________________
> Catalog-SIG mailing list
> Catalog-SIG at python.org
> http://mail.python.org/mailman/listinfo/catalog-sig



May you do good and not evil
May you find forgiveness for yourself and forgive others
May you share freely, never taking more than you give.
-- the sqlite blessing http://www.sqlite.org/different.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20120202/0d4d9744/attachment.html>

More information about the Catalog-SIG mailing list