[Catalog-sig] Fwd: readthedocs.org or packages.python.org?
Jacob Kaplan-Moss
jacob at jacobian.org
Thu Feb 7 01:02:08 CET 2013
On Wed, Feb 6, 2013 at 5:45 PM, <martin at v.loewis.de> wrote:
> I see. Still, it's not a problem at the moment; "python.org" does not issue
> cookies. Even for the new site, it should be possible to find a secure
> solution
> that doesn't involve shutting down packages.python.org.
Sadly, the only "secure solution" would be to not issue cookies, i.e.
have no login components, and that's not what's required of the new
site.
So something's gotta give here. Our options are basically:
* Don't launch the new site as spec'd; revise the scope to be
completely static and have no login components.
* Make packages.python.org strip javascript and quite possibly certain
HTML as well (I think it has to strip forms to prevent CSRF, but I
haven't thought that through completely).
* Move packages.python.org to a new TLD.
Since I've got an obvious financial incentive -- I'm being paid to
build the new site -- I'll stay out of advocating. But as long as
*.python.org allows arbitrary HTML and Javascript uploads, it makes
the main site itself quite easily hackable.
Jacob
More information about the Catalog-SIG
mailing list