[Catalog-sig] Allowing the upload of .py files at PyPI

M.-A. Lemburg mal at egenix.com
Thu Feb 14 23:34:21 CET 2013 

On 14.02.2013 23:10, Nick Coghlan wrote:
> On 15 Feb 2013 05:50, "Tarek Ziadé" <tarek at ziade.org> wrote:
>>
>> On 2/14/13 8:37 PM, Donald Stufft wrote:
>>>
>>> On Thursday, February 14, 2013 at 2:28 PM, Tarek Ziadé wrote:
>>>>
>>>> Hello
>>>>
>>>> Some tools (setuptools, distribute, zope, pip) use bootstrap files to
>>>> get installed,
>>>>
>>>> In order to have a more secured installation process, we'd like to be
>>>> able to push those files on PyPI so people can download them through
>>>> https using the PSF certificate.
>>>>
>>>> As Phillip Eby noticed, that requires changing this method
>>>>
> https://bitbucket.org/loewis/pypi/src/f18ce0fbe947c1ce778761ea81d6704572cebb24/webui.py?at=default#cl-2233
>>>>
>>>> by:
>>>>
>>>> - allowing .py extensions,
>>>> - allowing arbitrary file names when they have the .py extension
>>>
>>> Arbitrary file names is a bad idea imo. What's to stop me from uploading
>>> setup_distribute.py and linking to it as if it was distribute_setup.py
> and
>>> installing a malware'd distribute.
>>
>>
>> If you can upload in that location, it means you are a legit
> owner/maintainer of the project AFAIK
> 
> I'm more concerned about phishing style attacks. I don't want the PyPI
> admins to have to start scanning for hostile names like "distirbute".
> 
> So how often do the bootstrap files change?
> 
> If relatively frequently, I would prefer this to be a project-specific
> privilege granted by the PyPI admins (at least for now).
> 
> If rarely, then I'd be happy enough if the update process required PyPI
> admin involvement (the project whitelist is probably a better idea, though).

I don't follow the reasoning here. What's the difference between
uploading a .py file and a .tar.gz file ?

AFAIK, the only reason why the file extensions are restricted is to
prevent people from uploading MP3s, movies or other material that doesn't
belong on PyPI - not because there are security concerns.

-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source  (#1, Feb 14 2013)
>>> Python Projects, Consulting and Support ...   http://www.egenix.com/
>>> mxODBC.Zope/Plone.Database.Adapter ...       http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
________________________________________________________________________

::::: Try our mxODBC.Connect Python Database Interface for free ! ::::::

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611
               http://www.egenix.com/company/contact/

More information about the Catalog-SIG mailing list