[Catalog-sig] Fwd: readthedocs.org or packages.python.org?

Donald Stufft donald.stufft at gmail.com
Thu Feb 7 01:42:10 CET 2013


On Wednesday, February 6, 2013 at 7:22 PM, martin at v.loewis.de wrote:
> 
> Zitat von Jacob Kaplan-Moss <jacob at jacobian.org (mailto:jacob at jacobian.org)>:
> 
> > On Wed, Feb 6, 2013 at 5:45 PM, <martin at v.loewis.de (mailto:martin at v.loewis.de)> wrote:
> > > I see. Still, it's not a problem at the moment; "python.org (http://python.org)" does not issue
> > > cookies. Even for the new site, it should be possible to find a secure
> > > solution
> > > that doesn't involve shutting down packages.python.org (http://packages.python.org).
> > > 
> > 
> > 
> > Sadly, the only "secure solution" would be to not issue cookies, i.e.
> > have no login components, and that's not what's required of the new
> > site.
> > 
> 
> 
> Why is that? If the issue is for "www.python.org (http://www.python.org)", then packages.python.org (http://packages.python.org)
> cannot steal it, can it?
> 
> 

Session Fixation. 
> 
> > So something's gotta give here. Our options are basically:
> > 
> > * Don't launch the new site as spec'd; revise the scope to be
> > completely static and have no login components.
> > 
> > * Make packages.python.org (http://packages.python.org) strip javascript and quite possibly certain
> > HTML as well (I think it has to strip forms to prevent CSRF, but I
> > haven't thought that through completely).
> > 
> > * Move packages.python.org (http://packages.python.org) to a new TLD.
> 
> There are certainly more options:
> - don't use cookies 1: use basic auth instead
> 
> 

Horrible UX, hope you didn't want CSRF protection either because
you throw that right out. 
> - don't use cookies 2: use TLS session IDs instead
> 
> 

Pretty sure these are passed cleartext, hope you didn't want your
sessions MITM'd 
> - don't use cookies 3: use X.509 certificates instead
> 
> 

Hope you didn't want CSRF protection, Also hope you didn't
want PyPI protected from session fixation. Or if you're
moving PyPI to X.509 certs too have fun supporting all
those users. 
> - move the login site to a new TLD (e.g. python-cms.org (http://python-cms.org))
> 
> 

Hope you didn't want CSRF protection on python.org, or any
of this protected against PyPI. 
> 
> I'm not saying that all these options are practical, I'm just pointing
> out that there are definitely more than the three you've mentioned.
> 
> "Move to a new TLD" is much better than "tell people to go elsewhere",
> though.
> 
> Regards,
> Martin
> 
> 

Instead of trying to preform gymnastics to keep packages.python.org just 
keep it as is and move it to a new domain. It's simple, it's effective, and it
doesn't require horrible bandaids that don't completely solve the issue anyways.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130206/86b16c46/attachment-0001.html>


More information about the Catalog-SIG mailing list