On Thu, Feb 14, 2013 at 5:10 PM, Nick Coghlan <ncogh...@gmail.com> wrote: > I'm more concerned about phishing style attacks. I don't want the PyPI > admins to have to start scanning for hostile names like "distirbute".
I'm not sure what you mean. These things exist only for the corresponding package (buildout, setuptools, or distribute), and aren't downloaded from any other project. Generally, they are downloaded either by 1) a human, or 2) another tool that wants to support installation in the absence of a pre-existing setuptools or distribute installation (mainly zc.buildout AFAIK). (Or are you saying that somebody might upload a project called, say, "distribute_", and try to trick people into downloading it? I'm not sure how that's a threat that can be defended against in any event.) > So how often do the bootstrap files change? Setuptools releases an updated version with each new release, as it contains an MD5 signature for downloading the new release. I *think* distribute does the same. Not so sure about buildout. _______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
