[Catalog-sig] New pythonpackages.com service coming soon

Alex Clark aclark at aclark.net
Mon Jan 23 01:00:03 CET 2012 

On 1/22/12 6:34 PM, Richard Jones wrote:
> On 23 January 2012 10:20, Alex Clark<aclark at aclark.net>  wrote:
>> On 1/22/12 5:45 PM, Richard Jones wrote:
>>>
>>> On 23 January 2012 04:04, Alex Clark<aclark at aclark.net>    wrote:
>>>>
>>>> - I have created a "user" `pythonpackages` on PyPI
>>>> - I have uploaded an ssh key [1].
>>>> - I have added `pythonpackages` as a maintainer of `Pillow`.
>>>> - You can imagine the rest (and if you can't, it's a secret for now.)
>>>>
>>>> Now, I read the TOS very carefully before creating the `pythonpackages`
>>>> "user". And there was nothing in it to indicate this action is anything
>>>> other than "fair use". But I want to bring it to the attention of the
>>>> PyPI
>>>> maintainers now, in the event the service becomes popular later (I know
>>>> at
>>>> least I am planning to use it quite a bit. And we have ~70 beta users
>>>> signed
>>>> up to begin testing.)
>>>
>>>
>>> My initial only concern is that the registering and uploading of
>>> packages to the index might become too anonymous.
>>>
>>> We are frequently called upon to identify the owners of packages (for
>>> a variety of reasons: ownership disputes, transfer of ownership,
>>> reclamation of zombies, that sort of thing).
>>>
>>> Currently a person must be registered with PyPI an listed as an
>>> owner/maintainer to be able to register package releases and upload
>>> files for a package. Even if we required a non-pythonpackages user to
>>> be listed against a package that association could become stale (the
>>> person listed in PyPI could have no longer have anything to do with
>>> the package.)
>>
>> That shouldn't be a concern here because anyone that wants to use the
>> service (currently) must manually assign the Maintainer role to the
>> `pythonpackages` user for their package(s). We (currently) have no plans to
>> register any new packages with the `pythonpackages` user. Our plans could
>> change in the future, but at present this is a small, cautious step towards
>> release automation.
>
> My concern was that in the longer term this could happen:
>
> 1. user registers package on pypi (and is thus owner)
> 2. user assigns pythonpackages as co-maintainer
> 3. user and others in package project use pythonpackages to submit new
> releases (possibly automa[tg]ically using mechanisms set up by the
> user from step #1 that they aren't fully aware of)
> 4. time passes and user from step #1 no longer participates in project
> 5. there is now effectively no useful human assigned to the package on
> pypi, yet releases may still happen


Releases may technically still be possible via pythonpackages.com, but 
practically speaking they shouldn't happen because the only person able 
to trigger them (from pythonpackages.com) is the user that disappeared.

However, you have got me thinking about a potential abuse scenario where 
a "legitimate" but malicious pythonpackages.com user could release any 
package that had `pythonpackages` as a Maintainer.

This makes think that at the very least, in addition to adding the 
`pythonpackages` user as Maintainer, we (pythonpackages.com) must 
require users to identify themselves with their PyPI openid (which of 
course can be used for identification, but not releasing packages).

That way pythonpackages.com could verify that the package being released 
has the right Owner, simply by checking the package metadata and 
reconciling it with the openid (at least in my head this sounds like it 
should work).



>
> As I said before, we frequently get requests for ownership
> reassignment. In this case we the original owner is not contactable /
> helpful (this happens a bit.) We can see there's more recent releases
> but we don't know who is performing them. We are now in a bind, or
> have to spend a bunch more effort to figure out what's going on - and
> we're already somewhat stretched (for two volunteers) with the current
> setup.


Indeed, I definitely don't want to create more work for anyone.



Alex



>
>
>       Richard


-- 
Alex Clark · http://pythonpackages.com

More information about the Catalog-SIG mailing list