[Catalog-sig] Allowing the upload of .py files at PyPI
Donald Stufft
donald.stufft at gmail.com
Thu Feb 14 20:37:06 CET 2013
On Thursday, February 14, 2013 at 2:28 PM, Tarek Ziadé wrote:
> Hello
>
> Some tools (setuptools, distribute, zope, pip) use bootstrap files to
> get installed,
>
> In order to have a more secured installation process, we'd like to be
> able to push those files on PyPI so people can download them through
> https using the PSF certificate.
>
> As Phillip Eby noticed, that requires changing this method
> https://bitbucket.org/loewis/pypi/src/f18ce0fbe947c1ce778761ea81d6704572cebb24/webui.py?at=default#cl-2233
>
> by:
>
> - allowing .py extensions,
> - allowing arbitrary file names when they have the .py extension
>
>
Arbitrary file names is a bad idea imo. What's to stop me from uploading
setup_distribute.py and linking to it as if it was distribute_setup.py and
installing a malware'd distribute.
>
> Any objection if I provide a pull request for this ?
>
> Cheers
> Tarek
>
> --
> Tarek Ziadé · http://ziade.org · @tarek_ziade
>
> _______________________________________________
> Catalog-SIG mailing list
> Catalog-SIG at python.org (mailto:Catalog-SIG at python.org)
> http://mail.python.org/mailman/listinfo/catalog-sig
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130214/64b1de05/attachment.html>
More information about the Catalog-SIG
mailing list