[Catalog-sig] Allowing the upload of .py files at PyPI
Richard Jones
richard at python.org
Fri Feb 15 00:31:09 CET 2013
On 15 February 2013 06:28, Tarek Ziadé <tarek at ziade.org> wrote:
> Some tools (setuptools, distribute, zope, pip) use bootstrap files to get
> installed,
>
> In order to have a more secured installation process, we'd like to be able
> to push those files on PyPI so people can download them through https using
> the PSF certificate.
>
> As Phillip Eby noticed, that requires changing this method
> https://bitbucket.org/loewis/pypi/src/f18ce0fbe947c1ce778761ea81d6704572cebb24/webui.py?at=default#cl-2233
>
> by:
>
> - allowing .py extensions,
> - allowing arbitrary file names when they have the .py extension
>
> Any objection if I provide a pull request for this ?
I like the idea except:
1. Limit it to a file named exactly "bootstrap-<version>.py" where the
version matches the release
2. Allow it on a whitelist basis as the likelihood of phishing is still high
3. Symlink the latest (per current PyPI rules about how to determine
"latest") "bootstrap-<version>.py" to "bootstrap.py"
The bootstrap.py file would most likely have to be omitted from the
usual files listing mechanisms as they are used to determine
installable release packages.
Yes, phishing is an issue for regular distributions too, though a
bootstrap URL is more likely to be clicked/copy-pasted than someone
actually typing in "pip install packagename". Yes, there is nothing
stopping someone adding a package "DjangoInstaller" which looks quite
legitimate. The community would hopefully notice quite quickly.
Richard
More information about the Catalog-SIG
mailing list