[Catalog-sig] pre-PEP: transition to release-file hosting at pypi site

M.-A. Lemburg mal at egenix.com
Tue Mar 12 17:19:34 CET 2013

On 12.03.2013 16:42, Jacob Kaplan-Moss wrote:
> On Tue, Mar 12, 2013 at 10:38 AM, PJ Eby <pje at telecommunity.com> wrote:
>> I'll ask it again: why should *thousands* of projects be censored or
>> made to change their release processes, because *you* can't be
>> bothered to cache the distributions of the projects you depend on?
> Because externally-hosted files are a security risk, one that most
> users don't realize exists.
> We can either fix this problem now, or we can wait until someone is
> compromised using PyPI as a vector.

We can fix this problem, yes, but we need to do this right and
try not to break things.

I don't see the need to rush this, just to address some perceived
high risk. Files hosted on PyPI are just as risky to use as files
on any other server.

The only way to minimize the risk is by downloading all the packages
you need, do reviews of all of them and each time a new release
is published. If you then point your installers only to the repository
where you keep your reviewed files, then you can feel safer.

In reality, this doesn't happen, though, so a lot of the stuff
we're talking about here is security theater, no matter how
much crypto/signing/hashing/hosting/CDN we throw at it :-)

So let's do this carefully and find a good solution before
jumping to conclusions.

Marc-Andre Lemburg

Professional Python Services directly from the Source  (#1, Mar 12 2013)
>>> Python Projects, Consulting and Support ...   http://www.egenix.com/
>>> mxODBC.Zope/Plone.Database.Adapter ...       http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/

::::: Try our mxODBC.Connect Python Database Interface for free ! ::::::

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611

More information about the Catalog-SIG mailing list