[Catalog-sig] Fwd: readthedocs.org or packages.python.org?
Donald Stufft
donald.stufft at gmail.com
Thu Feb 7 01:14:45 CET 2013
On Wednesday, February 6, 2013 at 7:02 PM, Jacob Kaplan-Moss wrote:
> On Wed, Feb 6, 2013 at 5:45 PM, <martin at v.loewis.de (mailto:martin at v.loewis.de)> wrote:
> > I see. Still, it's not a problem at the moment; "python.org (http://python.org)" does not issue
> > cookies. Even for the new site, it should be possible to find a secure
> > solution
> > that doesn't involve shutting down packages.python.org (http://packages.python.org).
> >
>
>
> Sadly, the only "secure solution" would be to not issue cookies, i.e.
> have no login components, and that's not what's required of the new
> site.
>
> So something's gotta give here. Our options are basically:
>
> * Don't launch the new site as spec'd; revise the scope to be
> completely static and have no login components.
>
> * Make packages.python.org (http://packages.python.org) strip javascript and quite possibly certain
> HTML as well (I think it has to strip forms to prevent CSRF, but I
> haven't thought that through completely).
>
>
This is pretty hard, basically no javascript, whitelist certain elements, etc.
You essentially take a lot of the value of packages.python.org out of
packages.python.org all so you can type packages.python.org instead
of python-packages.org (or RTD!).
>
> * Move packages.python.org (http://packages.python.org) to a new TLD.
>
> Since I've got an obvious financial incentive -- I'm being paid to
> build the new site -- I'll stay out of advocating. But as long as
> *.python.org (http://python.org) allows arbitrary HTML and Javascript uploads, it makes
> the main site itself quite easily hackable.
>
> Jacob
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130206/092c9ece/attachment.html>
More information about the Catalog-SIG
mailing list