[Catalog-sig] pre-PEP: transition to release-file hosting at pypi site

Tres Seaver tseaver at palladion.com
Wed Mar 13 18:21:45 CET 2013

Hash: SHA1

On 03/13/2013 01:06 PM, Donald Stufft wrote:
> Really now? Let's see I can easily protect against malicous uploads
> by only installing from trusted authors

How do you know who to trust?  What if an author you trust adds a
dependency to a package to an author you have no konwledege of, or one
you actively distrust?  What if an author you trust commits one of the
other changes I outlined (removes a release / distribution, makes
backward-incompatible changes, re-uploads a changed distribution over an
existing one?)

The only way to implement "only install from trusted authors" is to run
your own index, and explicitly review / curate the package set maintained
there.   In that scenario, you run a script from time to time which looks
for new versions of your packages on PyPI and puts them into a queue for

Bob, a casual reviewer, might install the new verison from PyPI into a
fresh virtualenv and test it there before pushing it into the curated index.

Carol, more pranoid^Wsecurity mindex, downloads the package, verifies its
signature, unpacks the tarball, diffs it against the curated version,
compares that diff against the changelog, looks at new / changed
dependencies, and installs it into a hardened sandbox for testing.  Only
after that kind of review does she push the newly-reviewed distribution
into the curated index.

Adding an entirely new package to the curated index is a similar process,
but requires more effort from either Bob or Carol.

- -- 
Tres Seaver          +1 540-429-0999          tseaver at palladion.com
Palladion Software   "Excellence by Design"    http://palladion.com
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/


More information about the Catalog-SIG mailing list