On 15 Feb 2013 08:38, "Donald Stufft" <donald.stu...@gmail.com> wrote: > > On Thursday, February 14, 2013 at 5:34 PM, M.-A. Lemburg wrote: >> >> I don't follow the reasoning here. What's the difference between >> uploading a .py file and a .tar.gz file ? >> >> AFAIK, the only reason why the file extensions are restricted is to >> prevent people from uploading MP3s, movies or other material that doesn't >> belong on PyPI - not because there are security concerns. >> > Personally (might by different for Nick) it's less a problem with uploading .py > files and more a problem with allowing arbitrary names.
The sensible security mindset is to only open yourself up to attack vectors when you have no other choice. Since phishing attacks on the bootstrap scripts can be prevented categorically with a whitelist (even a hardcoded one at this point), the onus should be on others to explain why we should leave the bootstrap scripts open to such attacks. The difference relative to releases is that those *have* to be open access for PyPI to work. The same is not true for the bootstrap scripts - any other package can automate its installation by bootstrapping pip, and then installing itself. There's no need to declare open season on Python file uploads, therefore we shouldn't do so. Cheers, Nick.
_______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
