[Catalog-sig] pre-PEP: transition to release-file hosting at pypi site

Jesse Noller jnoller at gmail.com
Tue Mar 12 18:33:55 CET 2013

> And I've put multiple compromise proposals out there to begin
> mitigating the problem *now* (i.e. for non-updated versions of
> setuptools), and every time, the objection is, "no, we need to ban it
> all now, no discussion, no re-evaluation, no personal choice, everyone
> must do as we say, no argument".
> And I don't understand that, at all.

There's not much to understand: external hosting of packages is *actively harmful*, period. End users of easy_install and pip *don't even realize* 99% of the time that these tools are following links off of PyPi and installing packages from random, probably insecure/non https locations all over the internet. Once they realize it they recoil in terror if they have any understanding of the implications.

Let me put this in different terms: out of the packages using external hosting: can you prove to me that 100% of them aren't compromised machines serving malware, performing MITM attacks, etc? The fact that the end user tools support this is a bug, but one from history. The fact that PyPI continues to support external links on simple/ is inexcusable given that we know that they are an attack vector. 

A simple proof of concept on a popular package hosted off site deployed during PyCon would be terrible, it was bad enough that last year people were trying to MITM due to lack of SSL. 


More information about the Catalog-SIG mailing list