[Catalog-sig] Allowing the upload of .py files at PyPI
Daniel Holth
dholth at gmail.com
Fri Feb 15 01:01:37 CET 2013
Don't forget that you can also just upload a zip script, at least for 2.6+.
I know you still have to support 2.3
On Feb 14, 2013 6:31 PM, "Richard Jones" <richard at python.org> wrote:
> On 15 February 2013 06:28, Tarek Ziadé <tarek at ziade.org> wrote:
> > Some tools (setuptools, distribute, zope, pip) use bootstrap files to get
> > installed,
> >
> > In order to have a more secured installation process, we'd like to be
> able
> > to push those files on PyPI so people can download them through https
> using
> > the PSF certificate.
> >
> > As Phillip Eby noticed, that requires changing this method
> >
> https://bitbucket.org/loewis/pypi/src/f18ce0fbe947c1ce778761ea81d6704572cebb24/webui.py?at=default#cl-2233
> >
> > by:
> >
> > - allowing .py extensions,
> > - allowing arbitrary file names when they have the .py extension
> >
> > Any objection if I provide a pull request for this ?
>
> I like the idea except:
>
> 1. Limit it to a file named exactly "bootstrap-<version>.py" where the
> version matches the release
> 2. Allow it on a whitelist basis as the likelihood of phishing is still
> high
> 3. Symlink the latest (per current PyPI rules about how to determine
> "latest") "bootstrap-<version>.py" to "bootstrap.py"
>
> The bootstrap.py file would most likely have to be omitted from the
> usual files listing mechanisms as they are used to determine
> installable release packages.
>
> Yes, phishing is an issue for regular distributions too, though a
> bootstrap URL is more likely to be clicked/copy-pasted than someone
> actually typing in "pip install packagename". Yes, there is nothing
> stopping someone adding a package "DjangoInstaller" which looks quite
> legitimate. The community would hopefully notice quite quickly.
>
>
> Richard
> _______________________________________________
> Catalog-SIG mailing list
> Catalog-SIG at python.org
> http://mail.python.org/mailman/listinfo/catalog-sig
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130214/2a3681e3/attachment.html>
More information about the Catalog-SIG
mailing list