[Catalog-sig] Allowing the upload of .py files at PyPI
PJ Eby
pje at telecommunity.com
Thu Feb 14 23:43:56 CET 2013
On Thu, Feb 14, 2013 at 5:10 PM, Nick Coghlan <ncoghlan at gmail.com> wrote:
> I'm more concerned about phishing style attacks. I don't want the PyPI
> admins to have to start scanning for hostile names like "distirbute".
I'm not sure what you mean. These things exist only for the
corresponding package (buildout, setuptools, or distribute), and
aren't downloaded from any other project. Generally, they are
downloaded either by 1) a human, or 2) another tool that wants to
support installation in the absence of a pre-existing setuptools or
distribute installation (mainly zc.buildout AFAIK).
(Or are you saying that somebody might upload a project called, say,
"distribute_", and try to trick people into downloading it? I'm not
sure how that's a threat that can be defended against in any event.)
> So how often do the bootstrap files change?
Setuptools releases an updated version with each new release, as it
contains an MD5 signature for downloading the new release. I *think*
distribute does the same. Not so sure about buildout.
More information about the Catalog-SIG
mailing list