On 14.02.2013 23:54, Nick Coghlan wrote: > On 15 Feb 2013 08:38, "Donald Stufft" <donald.stu...@gmail.com> wrote: >> >> On Thursday, February 14, 2013 at 5:34 PM, M.-A. Lemburg wrote: >>> >>> I don't follow the reasoning here. What's the difference between >>> uploading a .py file and a .tar.gz file ? >>> >>> AFAIK, the only reason why the file extensions are restricted is to >>> prevent people from uploading MP3s, movies or other material that doesn't >>> belong on PyPI - not because there are security concerns. >>> >> Personally (might by different for Nick) it's less a problem with > uploading .py >> files and more a problem with allowing arbitrary names. > > The sensible security mindset is to only open yourself up to attack vectors > when you have no other choice. Since phishing attacks on the bootstrap > scripts can be prevented categorically with a whitelist (even a hardcoded > one at this point), the onus should be on others to explain why we should > leave the bootstrap scripts open to such attacks. > > The difference relative to releases is that those *have* to be open access > for PyPI to work. The same is not true for the bootstrap scripts - any > other package can automate its installation by bootstrapping pip, and then > installing itself. There's no need to declare open season on Python file > uploads, therefore we shouldn't do so.
The use case bootstrapping is just what got this thread started. IMO, it's perfectly legitimate to distribute a Python module as Python source file and don't really see the difference between doing this on PyPI compared to github, bitbucket or some other website. If you don't trust package owners in uploading correct files, then I fail to see why we are trying to secure PyPI in the first place. Let's please not get paranoid over all this :-) -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Feb 14 2013) >>> Python Projects, Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ ::::: Try our mxODBC.Connect Python Database Interface for free ! :::::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ _______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
