On 2/14/13 8:37 PM, Donald Stufft wrote:
On Thursday, February 14, 2013 at 2:28 PM, Tarek Ziadé wrote:
Hello
Some tools (setuptools, distribute, zope, pip) use bootstrap files to
get installed,
In order to have a more secured installation process, we'd like to be
able to push those files on PyPI so people can download them through
https using the PSF certificate.
As Phillip Eby noticed, that requires changing this method
https://bitbucket.org/loewis/pypi/src/f18ce0fbe947c1ce778761ea81d6704572cebb24/webui.py?at=default#cl-2233
by:
- allowing .py extensions,
- allowing arbitrary file names when they have the .py extension
Arbitrary file names is a bad idea imo. What's to stop me from uploading
setup_distribute.py and linking to it as if it was distribute_setup.py and
installing a malware'd distribute.
If you can upload in that location, it means you are a legit
owner/maintainer of the project AFAIK
--
Tarek Ziadé · http://ziade.org · @tarek_ziade
_______________________________________________
Catalog-SIG mailing list
Catalog-SIG@python.org
http://mail.python.org/mailman/listinfo/catalog-sig
