On 14.02.2013 23:10, Nick Coghlan wrote: > On 15 Feb 2013 05:50, "Tarek Ziadé" <ta...@ziade.org> wrote: >> >> On 2/14/13 8:37 PM, Donald Stufft wrote: >>> >>> On Thursday, February 14, 2013 at 2:28 PM, Tarek Ziadé wrote: >>>> >>>> Hello >>>> >>>> Some tools (setuptools, distribute, zope, pip) use bootstrap files to >>>> get installed, >>>> >>>> In order to have a more secured installation process, we'd like to be >>>> able to push those files on PyPI so people can download them through >>>> https using the PSF certificate. >>>> >>>> As Phillip Eby noticed, that requires changing this method >>>> > https://bitbucket.org/loewis/pypi/src/f18ce0fbe947c1ce778761ea81d6704572cebb24/webui.py?at=default#cl-2233 >>>> >>>> by: >>>> >>>> - allowing .py extensions, >>>> - allowing arbitrary file names when they have the .py extension >>> >>> Arbitrary file names is a bad idea imo. What's to stop me from uploading >>> setup_distribute.py and linking to it as if it was distribute_setup.py > and >>> installing a malware'd distribute. >> >> >> If you can upload in that location, it means you are a legit > owner/maintainer of the project AFAIK > > I'm more concerned about phishing style attacks. I don't want the PyPI > admins to have to start scanning for hostile names like "distirbute". > > So how often do the bootstrap files change? > > If relatively frequently, I would prefer this to be a project-specific > privilege granted by the PyPI admins (at least for now). > > If rarely, then I'd be happy enough if the update process required PyPI > admin involvement (the project whitelist is probably a better idea, though).
I don't follow the reasoning here. What's the difference between uploading a .py file and a .tar.gz file ? AFAIK, the only reason why the file extensions are restricted is to prevent people from uploading MP3s, movies or other material that doesn't belong on PyPI - not because there are security concerns. -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Feb 14 2013) >>> Python Projects, Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ ::::: Try our mxODBC.Connect Python Database Interface for free ! :::::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ _______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
