[Catalog-sig] Proposal: close the PyPI file-replacement loophole
mal at egenix.com
Mon Jan 30 10:46:00 CET 2012
Donald Stufft wrote:
> On Monday, January 30, 2012 at 4:23 AM, M.-A. Lemburg wrote:
>> Richard Jones wrote:
>>> Hi catalog-sig,
>>> When we initially implemented file upload to PyPI it was our intention
>>> that the file be immutable once uploaded. The goal was to make things
>>> significantly simpler for end users - there would only ever be one
>>> file with a given name. If the content changed then so must the name
>>> (typically by creating a new release version.)
>>> After the upload facility was put in place we also added the ability
>>> to delete files uploaded to pypi. This created a loophole: if a
>>> package owner knew how to they could delete the file and re-upload,
>>> thus circumventing the replacement protection.
>>> I'm considering closing this loophole by retaining a record of the
>>> uploaded file (though not the contents) so that future uploads with
>>> the same name wouldn't be allowed. I understand that this is how the
>>> ruby gem archive handles deletion of files.
>>> Your thoughts?
>> I don't think that's a good idea, since it would require the
>> package author to issue a new release whenever something goes wrong
>> with an upload (e.g. missing files, corrupted archive, etc.).
>> Please leave the existing logic in place.
> And version numbers are a scarce resource?
No, but having to kick off the whole release process again
just because something went wrong when uploading release files
to PyPI causes plenty of trouble.
> (Even though I believe it would be acceptable to cover that particular use case by giving a grace period of when you can re upload).
Can't we just leave dealing with that problem to the package authors ?
It's their responsibility, not PyPI's.
Professional Python Services directly from the Source (#1, Jan 30 2012)
>>> Python/Zope Consulting and Support ... http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
::: Try our new mxODBC.Connect Python Database Interface for free ! ::::
eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
Registered at Amtsgericht Duesseldorf: HRB 46611
More information about the Catalog-SIG