[Catalog-sig] Allowing the upload of .py files at PyPI
Tarek Ziadé
tarek at ziade.org
Thu Feb 14 20:50:45 CET 2013
On 2/14/13 8:37 PM, Donald Stufft wrote:
> On Thursday, February 14, 2013 at 2:28 PM, Tarek Ziadé wrote:
>> Hello
>>
>> Some tools (setuptools, distribute, zope, pip) use bootstrap files to
>> get installed,
>>
>> In order to have a more secured installation process, we'd like to be
>> able to push those files on PyPI so people can download them through
>> https using the PSF certificate.
>>
>> As Phillip Eby noticed, that requires changing this method
>> https://bitbucket.org/loewis/pypi/src/f18ce0fbe947c1ce778761ea81d6704572cebb24/webui.py?at=default#cl-2233
>>
>> by:
>>
>> - allowing .py extensions,
>> - allowing arbitrary file names when they have the .py extension
> Arbitrary file names is a bad idea imo. What's to stop me from uploading
> setup_distribute.py and linking to it as if it was distribute_setup.py and
> installing a malware'd distribute.
If you can upload in that location, it means you are a legit
owner/maintainer of the project AFAIK
--
Tarek Ziadé · http://ziade.org · @tarek_ziade
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130214/36861a32/attachment.html>
More information about the Catalog-SIG
mailing list