[Catalog-sig] Allowing the upload of .py files at PyPI
Tarek Ziadé
tarek at ziade.org
Fri Feb 15 10:06:29 CET 2013
On 2/14/13 11:49 PM, Donald Stufft wrote:
> On Thursday, February 14, 2013 at 5:43 PM, PJ Eby wrote:
>> On Thu, Feb 14, 2013 at 5:10 PM, Nick Coghlan <ncoghlan at gmail.com
>> <mailto:ncoghlan at gmail.com>> wrote:
>>> I'm more concerned about phishing style attacks. I don't want the PyPI
>>> admins to have to start scanning for hostile names like "distirbute".
>>
>> I'm not sure what you mean. These things exist only for the
>> corresponding package (buildout, setuptools, or distribute), and
>> aren't downloaded from any other project. Generally, they are
>> downloaded either by 1) a human, or 2) another tool that wants to
>> support installation in the absence of a pre-existing setuptools or
>> distribute installation (mainly zc.buildout AFAIK).
>>
>> (Or are you saying that somebody might upload a project called, say,
>> "distribute_", and try to trick people into downloading it? I'm not
>> sure how that's a threat that can be defended against in any event.)
>>
>>> So how often do the bootstrap files change?
>>
>> Setuptools releases an updated version with each new release, as it
>> contains an MD5 signature for downloading the new release. I *think*
>> distribute does the same. Not so sure about buildout.
>> _______________________________________________
>> Catalog-SIG mailing list
>> Catalog-SIG at python.org <mailto:Catalog-SIG at python.org>
>> http://mail.python.org/mailman/listinfo/catalog-sig
> Right but it's easy for me to validate an that the url someone is
> pointing me to belongs to setuptools on PyPI because PyPI enforces
> the name setuptools-VERSION.tar.gz. So given a link to a file I know
> what project on PyPI owns that file, and I can then go back and look
> at that project page to verify it's identity. If you have arbitrary names
> then that becomes much harder for me to do as a user.
not really because the URL gives you that information:
For distribute, it will be located for example in :
https://pypi.python.org/packages/source/d/distribute/XXXX
>
> If the PR is written so that the filenames are still required to start
> with
> the project name I would personally feel a lot less likely it's easily
> phishable.
I don't understand this.
--
Tarek Ziadé · http://ziade.org · @tarek_ziade
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130215/709d36ad/attachment.html>
More information about the Catalog-SIG
mailing list