[Catalog-sig] Allowing the upload of .py files at PyPI
M.-A. Lemburg
mal at egenix.com
Fri Feb 15 00:22:16 CET 2013
On 14.02.2013 23:54, Nick Coghlan wrote:
> On 15 Feb 2013 08:38, "Donald Stufft" <donald.stufft at gmail.com> wrote:
>>
>> On Thursday, February 14, 2013 at 5:34 PM, M.-A. Lemburg wrote:
>>>
>>> I don't follow the reasoning here. What's the difference between
>>> uploading a .py file and a .tar.gz file ?
>>>
>>> AFAIK, the only reason why the file extensions are restricted is to
>>> prevent people from uploading MP3s, movies or other material that doesn't
>>> belong on PyPI - not because there are security concerns.
>>>
>> Personally (might by different for Nick) it's less a problem with
> uploading .py
>> files and more a problem with allowing arbitrary names.
>
> The sensible security mindset is to only open yourself up to attack vectors
> when you have no other choice. Since phishing attacks on the bootstrap
> scripts can be prevented categorically with a whitelist (even a hardcoded
> one at this point), the onus should be on others to explain why we should
> leave the bootstrap scripts open to such attacks.
>
> The difference relative to releases is that those *have* to be open access
> for PyPI to work. The same is not true for the bootstrap scripts - any
> other package can automate its installation by bootstrapping pip, and then
> installing itself. There's no need to declare open season on Python file
> uploads, therefore we shouldn't do so.
The use case bootstrapping is just what got this thread started.
IMO, it's perfectly legitimate to distribute a Python module as
Python source file and don't really see the difference between
doing this on PyPI compared to github, bitbucket or some other
website.
If you don't trust package owners in uploading correct
files, then I fail to see why we are trying to secure PyPI
in the first place.
Let's please not get paranoid over all this :-)
--
Marc-Andre Lemburg
eGenix.com
Professional Python Services directly from the Source (#1, Feb 14 2013)
>>> Python Projects, Consulting and Support ... http://www.egenix.com/
>>> mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
________________________________________________________________________
::::: Try our mxODBC.Connect Python Database Interface for free ! ::::::
eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
Registered at Amtsgericht Duesseldorf: HRB 46611
http://www.egenix.com/company/contact/
More information about the Catalog-SIG
mailing list