[Catalog-sig] [DRAFT] Proposal for fixing PyPI/pip security
Giovanni Bajo
rasky at develer.com
Sat Feb 23 00:47:37 CET 2013
Il giorno 23/feb/2013, alle ore 00:44, Donald Stufft <donald.stufft at gmail.com> ha scritto:
> On Friday, February 22, 2013 at 6:37 PM, Justin Cappos wrote:
>> 1c) hide/show a package version
>>
>> I need to look into this more. There are several ways this can be set up and I need to understand more to know how to respond. Offhand, I would say that having the developer sign and upload metadata indicating hidden vs. visible is the most secure. From a usability perspective, PyPI could sign something stating this instead, but this requires trusting PyPI more than may be wise. Were it my system, I'd prefer the former (and can talk more about risks with the latter), but either choice seems reasonable.
> Hiding/showing a package on PyPI is only in the webui. It doesn't actually effect what the installation tools can find.
Uh-uh, never known this until today. Then this is, by itself, a possible security hole. I would like to see this fixed somehow (either removing the feature, and making sure installation tools match the web ui experience).
--
Giovanni Bajo :: rasky at develer.com
Develer S.r.l. :: http://www.develer.com
My Blog: http://giovanni.bajo.it
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130223/0fb60fa3/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4346 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130223/0fb60fa3/attachment.bin>
More information about the Catalog-SIG
mailing list