Re: [Catalog-sig] Allowing the upload of .py files at PyPI

Fri, 15 Feb 2013 01:06:40 -0800 

On 2/14/13 11:49 PM, Donald Stufft wrote:

On Thursday, February 14, 2013 at 5:43 PM, PJ Eby wrote:
On Thu, Feb 14, 2013 at 5:10 PM, Nick Coghlan <ncogh...@gmail.com <mailto:ncogh...@gmail.com>> wrote: 
I'm more concerned about phishing style attacks. I don't want the PyPI
admins to have to start scanning for hostile names like "distirbute".


I'm not sure what you mean. These things exist only for the
corresponding package (buildout, setuptools, or distribute), and
aren't downloaded from any other project. Generally, they are
downloaded either by 1) a human, or 2) another tool that wants to
support installation in the absence of a pre-existing setuptools or
distribute installation (mainly zc.buildout AFAIK).

(Or are you saying that somebody might upload a project called, say,
"distribute_", and try to trick people into downloading it? I'm not
sure how that's a threat that can be defended against in any event.)


So how often do the bootstrap files change?


Setuptools releases an updated version with each new release, as it
contains an MD5 signature for downloading the new release. I *think*
distribute does the same. Not so sure about buildout.
_______________________________________________
Catalog-SIG mailing list
Catalog-SIG@python.org <mailto:Catalog-SIG@python.org>
http://mail.python.org/mailman/listinfo/catalog-sig

Right but it's easy for me to validate an that the url someone is
pointing me to belongs to setuptools on PyPI because PyPI enforces
the name setuptools-VERSION.tar.gz. So given a link to a file I know
what project on PyPI owns that file, and I can then go back and look
at that project page to verify it's identity. If you have arbitrary names
then that becomes much harder for me to do as a user.


not really because the URL gives you that information:

For distribute, it will be located for example in :

https://pypi.python.org/packages/source/d/distribute/XXXX




If the PR is written so that the filenames are still required to start 
with
the project name I would personally feel a lot less likely it's easily 
phishable.


I don't understand this.

--
Tarek Ziadé · http://ziade.org · @tarek_ziade


_______________________________________________
Catalog-SIG mailing list
Catalog-SIG@python.org
http://mail.python.org/mailman/listinfo/catalog-sig























					Reply via email to