[Catalog-sig] Allowing the upload of .py files at PyPI

[Nick Coghlan]

On 15 Feb 2013 05:50, "Tarek Ziadé" <tarek at ziade.org> wrote:
>
> On 2/14/13 8:37 PM, Donald Stufft wrote:
>>
>> On Thursday, February 14, 2013 at 2:28 PM, Tarek Ziadé wrote:
>>>
>>> Hello
>>>
>>> Some tools (setuptools, distribute, zope, pip) use bootstrap files to
>>> get installed,
>>>
>>> In order to have a more secured installation process, we'd like to be
>>> able to push those files on PyPI so people can download them through
>>> https using the PSF certificate.
>>>
>>> As Phillip Eby noticed, that requires changing this method
>>>
https://bitbucket.org/loewis/pypi/src/f18ce0fbe947c1ce778761ea81d6704572cebb24/webui.py?at=default#cl-2233
>>>
>>> by:
>>>
>>> - allowing .py extensions,
>>> - allowing arbitrary file names when they have the .py extension
>>
>> Arbitrary file names is a bad idea imo. What's to stop me from uploading
>> setup_distribute.py and linking to it as if it was distribute_setup.py
and
>> installing a malware'd distribute.
>
>
> If you can upload in that location, it means you are a legit
owner/maintainer of the project AFAIK

I'm more concerned about phishing style attacks. I don't want the PyPI
admins to have to start scanning for hostile names like "distirbute".

So how often do the bootstrap files change?

If relatively frequently, I would prefer this to be a project-specific
privilege granted by the PyPI admins (at least for now).

If rarely, then I'd be happy enough if the update process required PyPI
admin involvement (the project whitelist is probably a better idea, though).

Cheers,
Nick.

>
>
>
>
>
> --
> Tarek Ziadé · http://ziade.org · @tarek_ziade
>
>
> _______________________________________________
> Catalog-SIG mailing list
> Catalog-SIG at python.org
> http://mail.python.org/mailman/listinfo/catalog-sig
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130215/a9d06d01/attachment-0001.html>