On Thursday, February 14, 2013 at 5:43 PM, PJ Eby wrote: > On Thu, Feb 14, 2013 at 5:10 PM, Nick Coghlan <ncogh...@gmail.com > (mailto:ncogh...@gmail.com)> wrote: > > I'm more concerned about phishing style attacks. I don't want the PyPI > > admins to have to start scanning for hostile names like "distirbute". > > > > > I'm not sure what you mean. These things exist only for the > corresponding package (buildout, setuptools, or distribute), and > aren't downloaded from any other project. Generally, they are > downloaded either by 1) a human, or 2) another tool that wants to > support installation in the absence of a pre-existing setuptools or > distribute installation (mainly zc.buildout AFAIK). > > (Or are you saying that somebody might upload a project called, say, > "distribute_", and try to trick people into downloading it? I'm not > sure how that's a threat that can be defended against in any event.) > > > So how often do the bootstrap files change? > > Setuptools releases an updated version with each new release, as it > contains an MD5 signature for downloading the new release. I *think* > distribute does the same. Not so sure about buildout. > _______________________________________________ > Catalog-SIG mailing list > Catalog-SIG@python.org (mailto:Catalog-SIG@python.org) > http://mail.python.org/mailman/listinfo/catalog-sig > >
Right but it's easy for me to validate an that the url someone is pointing me to belongs to setuptools on PyPI because PyPI enforces the name setuptools-VERSION.tar.gz. So given a link to a file I know what project on PyPI owns that file, and I can then go back and look at that project page to verify it's identity. If you have arbitrary names then that becomes much harder for me to do as a user. If the PR is written so that the filenames are still required to start with the project name I would personally feel a lot less likely it's easily phishable.
_______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
