[Catalog-sig] [DRAFT] Proposal for fixing PyPI/pip security
Donald Stufft
donald.stufft at gmail.com
Sat Feb 23 01:18:02 CET 2013
On Friday, February 22, 2013 at 6:47 PM, Giovanni Bajo wrote:
> Il giorno 23/feb/2013, alle ore 00:44, Donald Stufft <donald.stufft at gmail.com (mailto:donald.stufft at gmail.com)> ha scritto:
>
> > On Friday, February 22, 2013 at 6:37 PM, Justin Cappos wrote:
> > > > 1c) hide/show a package version
> > >
> > >
> > > I need to look into this more. There are several ways this can be set up and I need to understand more to know how to respond. Offhand, I would say that having the developer sign and upload metadata indicating hidden vs. visible is the most secure. From a usability perspective, PyPI could sign something stating this instead, but this requires trusting PyPI more than may be wise. Were it my system, I'd prefer the former (and can talk more about risks with the latter), but either choice seems reasonable.
> > Hiding/showing a package on PyPI is only in the webui. It doesn't actually effect what the installation tools can find.
> >
>
>
>
> Uh-uh, never known this until today. Then this is, by itself, a possible security hole. I would like to see this fixed somehow (either removing the feature, and making sure installation tools match the web ui experience).
> --
>
>
>
>
>
Crate implements this by showing that the "hidden" version existed in the webui, but visually
showing it as "crossed out" / removed.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130222/ade481e2/attachment-0001.html>
More information about the Catalog-SIG
mailing list