On 15 Feb 2013 05:50, "Tarek Ziadé" <ta...@ziade.org> wrote: > > On 2/14/13 8:37 PM, Donald Stufft wrote: >> >> On Thursday, February 14, 2013 at 2:28 PM, Tarek Ziadé wrote: >>> >>> Hello >>> >>> Some tools (setuptools, distribute, zope, pip) use bootstrap files to >>> get installed, >>> >>> In order to have a more secured installation process, we'd like to be >>> able to push those files on PyPI so people can download them through >>> https using the PSF certificate. >>> >>> As Phillip Eby noticed, that requires changing this method >>> https://bitbucket.org/loewis/pypi/src/f18ce0fbe947c1ce778761ea81d6704572cebb24/webui.py?at=default#cl-2233 >>> >>> by: >>> >>> - allowing .py extensions, >>> - allowing arbitrary file names when they have the .py extension >> >> Arbitrary file names is a bad idea imo. What's to stop me from uploading >> setup_distribute.py and linking to it as if it was distribute_setup.py and >> installing a malware'd distribute. > > > If you can upload in that location, it means you are a legit owner/maintainer of the project AFAIK
I'm more concerned about phishing style attacks. I don't want the PyPI admins to have to start scanning for hostile names like "distirbute". So how often do the bootstrap files change? If relatively frequently, I would prefer this to be a project-specific privilege granted by the PyPI admins (at least for now). If rarely, then I'd be happy enough if the update process required PyPI admin involvement (the project whitelist is probably a better idea, though). Cheers, Nick. > > > > > > -- > Tarek Ziadé · http://ziade.org · @tarek_ziade > > > _______________________________________________ > Catalog-SIG mailing list > Catalog-SIG@python.org > http://mail.python.org/mailman/listinfo/catalog-sig >
_______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
