[Catalog-sig] Proposal: close the PyPI file-replacement loophole

Chris Withers chris at simplistix.co.uk
Mon Jan 30 22:46:25 CET 2012


On 30/01/2012 21:27, Yuval Greenfield wrote:
>     A little off-topic, but I always find it strange that some users of PyPI
>     appear to trust package authors with the software they put up on PyPI,
>     but don't trust them when it comes to the release process.
>     Very strange indeed...
>
>
> I don't trust "package authors".
>
> I do trust specific versions of specific packages that I've tested.
>
> If I can't trust PyPI to always give me the exact same result for a
> specific package-version then I can't use it.
>
> IOW if a hacked maintainer account can modify existing releases - PyPI
> is a very real attack vector into many existing systems.

Tin foil hats all round ;-)

Chris

-- 
Simplistix - Content Management, Batch Processing & Python Consulting
            - http://www.simplistix.co.uk


More information about the Catalog-SIG mailing list