[Distutils] providing a way for pip to communicate extra info to users
Nathaniel Smith
njs at pobox.com
Wed Apr 11 14:31:56 EDT 2018
On Mon, Apr 9, 2018, 16:47 Chris Jerdonek <chris.jerdonek at gmail.com> wrote:
>
> One of Donald's comments in response to the idea (and that occurred to
> me too and that I agree with) is that providing a way to communicate
> messages to users introduces another possible avenue for attack.
I agree that this is worth thinking about, but having thought about it I'm
having trouble coming up with a threat model where it creates additional
exposure?
If someone takes over package distribution, that's obviously a far more
serious problem. A messaging mechanism could amplify such an attack by
encouraging people to install the compromised packages – but pip's existing
check for new pip versions can also do that. Or if we have a mechanism for
securing package updates, like TUF, then presumably we can use it to
protect the MOTD as well?
-n
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20180411/ee879f48/attachment.html>
More information about the Distutils-SIG
mailing list