[Catalog-sig] Allowing the upload of .py files at PyPI
Jim Fulton
jim at zope.com
Thu Feb 14 23:47:08 CET 2013
On Thu, Feb 14, 2013 at 5:43 PM, PJ Eby <pje at telecommunity.com> wrote:
> On Thu, Feb 14, 2013 at 5:10 PM, Nick Coghlan <ncoghlan at gmail.com> wrote:
>> I'm more concerned about phishing style attacks. I don't want the PyPI
>> admins to have to start scanning for hostile names like "distirbute".
>
> I'm not sure what you mean. These things exist only for the
> corresponding package (buildout, setuptools, or distribute), and
> aren't downloaded from any other project. Generally, they are
> downloaded either by 1) a human, or 2) another tool that wants to
> support installation in the absence of a pre-existing setuptools or
> distribute installation (mainly zc.buildout AFAIK).
>
> (Or are you saying that somebody might upload a project called, say,
> "distribute_", and try to trick people into downloading it? I'm not
> sure how that's a threat that can be defended against in any event.)
>
>> So how often do the bootstrap files change?
>
> Setuptools releases an updated version with each new release, as it
> contains an MD5 signature for downloading the new release. I *think*
> distribute does the same. Not so sure about buildout.
Buildout does not. So it's bootstrap file doesn't change very often.
Jim
--
Jim Fulton
http://www.linkedin.com/in/jimfulton
Jerky is better than bacon! http://zo.pe/Kqm
More information about the Catalog-SIG
mailing list