[Catalog-sig] Allowing the upload of .py files at PyPI
Donald Stufft
donald.stufft at gmail.com
Thu Feb 14 23:49:06 CET 2013
On Thursday, February 14, 2013 at 5:43 PM, PJ Eby wrote:
> On Thu, Feb 14, 2013 at 5:10 PM, Nick Coghlan <ncoghlan at gmail.com (mailto:ncoghlan at gmail.com)> wrote:
> > I'm more concerned about phishing style attacks. I don't want the PyPI
> > admins to have to start scanning for hostile names like "distirbute".
> >
>
>
> I'm not sure what you mean. These things exist only for the
> corresponding package (buildout, setuptools, or distribute), and
> aren't downloaded from any other project. Generally, they are
> downloaded either by 1) a human, or 2) another tool that wants to
> support installation in the absence of a pre-existing setuptools or
> distribute installation (mainly zc.buildout AFAIK).
>
> (Or are you saying that somebody might upload a project called, say,
> "distribute_", and try to trick people into downloading it? I'm not
> sure how that's a threat that can be defended against in any event.)
>
> > So how often do the bootstrap files change?
>
> Setuptools releases an updated version with each new release, as it
> contains an MD5 signature for downloading the new release. I *think*
> distribute does the same. Not so sure about buildout.
> _______________________________________________
> Catalog-SIG mailing list
> Catalog-SIG at python.org (mailto:Catalog-SIG at python.org)
> http://mail.python.org/mailman/listinfo/catalog-sig
>
>
Right but it's easy for me to validate an that the url someone is
pointing me to belongs to setuptools on PyPI because PyPI enforces
the name setuptools-VERSION.tar.gz. So given a link to a file I know
what project on PyPI owns that file, and I can then go back and look
at that project page to verify it's identity. If you have arbitrary names
then that becomes much harder for me to do as a user.
If the PR is written so that the filenames are still required to start with
the project name I would personally feel a lot less likely it's easily phishable.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130214/d12b18e3/attachment.html>
More information about the Catalog-SIG
mailing list