On 15 February 2013 06:28, Tarek Ziadé <ta...@ziade.org> wrote:
> Some tools (setuptools, distribute, zope, pip) use bootstrap files to get
> installed,
>
> In order to have a more secured installation process, we'd like to be able
> to push those files on PyPI so people can download them through https using
> the PSF certificate.
>
> As Phillip Eby noticed, that requires changing this method
> https://bitbucket.org/loewis/pypi/src/f18ce0fbe947c1ce778761ea81d6704572cebb24/webui.py?at=default#cl-2233
>
> by:
>
> - allowing .py extensions,
> - allowing arbitrary file names when they have the .py extension
>
> Any objection if I provide a pull request for this ?
I like the idea except:
1. Limit it to a file named exactly "bootstrap-<version>.py" where the
version matches the release
2. Allow it on a whitelist basis as the likelihood of phishing is still high
3. Symlink the latest (per current PyPI rules about how to determine
"latest") "bootstrap-<version>.py" to "bootstrap.py"
The bootstrap.py file would most likely have to be omitted from the
usual files listing mechanisms as they are used to determine
installable release packages.
Yes, phishing is an issue for regular distributions too, though a
bootstrap URL is more likely to be clicked/copy-pasted than someone
actually typing in "pip install packagename". Yes, there is nothing
stopping someone adding a package "DjangoInstaller" which looks quite
legitimate. The community would hopefully notice quite quickly.
Richard
_______________________________________________
Catalog-SIG mailing list
Catalog-SIG@python.org
http://mail.python.org/mailman/listinfo/catalog-sig
