[Catalog-sig] Proposal: close the PyPI file-replacement loophole
fuzzyman at gmail.com
Thu Feb 2 14:01:01 CET 2012
On 2 February 2012 01:36, Richard Jones <richard at python.org> wrote:
> Summarising the responses:
> 8 at +1
> 3 at -1
> Several posts with no stated positions.
Several posts with no explicit -1, but I see objections/misgivings from the
Plus Chris Withers sceptical of the "security" advantages, although not
Note that even if this hole is plugged it still offers no security
advantage to users of tools like pip/easy_install - all a package
maintainer has to do is switch to hosting the download themselves and the
tools will still merrily install the specified version from wherever it is
hosted (using the download link from pypi). So the *only* security fix is
to specify a secure hash to the install tool, not screw over package
maintainers with more restrictions on pypi.
Given the issues with md5, adding SHA (or similar) hashes to pypi would be
a much better use of time (IMO).
All the best,
> Given it appears to be controversial, I'm just going to drop it. I
> just don't need the aggravation. PyPI can retain its ability to serve
> up potentially confusing file content.
> Catalog-SIG mailing list
> Catalog-SIG at python.org
May you do good and not evil
May you find forgiveness for yourself and forgive others
May you share freely, never taking more than you give.
-- the sqlite blessing http://www.sqlite.org/different.html
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Catalog-SIG