[Catalog-sig] pre-PEP: transition to release-file hosting at pypi site

M.-A. Lemburg mal at egenix.com
Tue Mar 12 19:00:21 CET 2013

On 12.03.2013 18:33, Jesse Noller wrote:
>> And I've put multiple compromise proposals out there to begin
>> mitigating the problem *now* (i.e. for non-updated versions of
>> setuptools), and every time, the objection is, "no, we need to ban it
>> all now, no discussion, no re-evaluation, no personal choice, everyone
>> must do as we say, no argument".
>> And I don't understand that, at all.
> There's not much to understand: external hosting of packages is *actively harmful*, period. End users of easy_install and pip *don't even realize* 99% of the time that these tools are following links off of PyPi and installing packages from random, probably insecure/non https locations all over the internet. Once they realize it they recoil in terror if they have any understanding of the implications.
> Let me put this in different terms: out of the packages using external hosting: can you prove to me that 100% of them aren't compromised machines serving malware, performing MITM attacks, etc? The fact that the end user tools support this is a bug, but one from history. The fact that PyPI continues to support external links on simple/ is inexcusable given that we know that they are an attack vector. 
> A simple proof of concept on a popular package hosted off site deployed during PyCon would be terrible, it was bad enough that last year people were trying to MITM due to lack of SSL. 

Let's please not exaggerate all this. It's not like PyPI is
the only server out there implementing HTTPS, ye know ;-)

A single package uploaded on PyPI with os.system('rm -rf')
in its setup.py could easily ruin all this and no HTTPS in this
world would stop it from showing its ugly face.

The whole Python package eco-system works based on trust and
injecting fear into this system is not helpful, IMO.

People need to understand the possible issues, we need to make
things safer from both the client and the server side and
improve the tool chain. There's really nothing new here.

Marc-Andre Lemburg

Professional Python Services directly from the Source  (#1, Mar 12 2013)
>>> Python Projects, Consulting and Support ...   http://www.egenix.com/
>>> mxODBC.Zope/Plone.Database.Adapter ...       http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/

::::: Try our mxODBC.Connect Python Database Interface for free ! ::::::

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611

More information about the Catalog-SIG mailing list