On 27.02.2013 16:26, Donald Stufft wrote:
> PyPI is now being served with a valid SSL certificate, and the
> tooling has begun to incorporate SSL verification of PyPI into
> the process. This is _excellent_ and the parties involved should
> all be thanked. However there is still another massive area of
> insecurity within the packaging tool chain.
> For those who don't know, when you attempt to install a particular
> package a number of urls are visited. The steps look roughly
> something like this:
>     1. Visit http://pypi.python.org/simple/Package/ and attempt to
>         collect any links that look like it's installable (tarballs,
>         #egg=, etc).
>         Note: /simple/Package/ contains download_url, home_page,
>         and any link that is contained in the long_description).
>     2. Visit any link referenced as home_page and attempt to
>         collect any links that look like it's installable.
>     3. Visit any link referenced in a dependency_links and attempt
>         to collect any links that look like it's installable.
>     4. Take all of the collected links and determine which one
>         best matches the requirement spec given and download it.
>     5. Rinse and repeat for every dependency in the requirement
>         set.    
> I propose we deprecate the external links that PyPI has published
> on the /simple/ indexes which exist because of the history of PyPI.
> Ideally in some number of months (1? 2?) we would turn off adding
> these links from new releases, leaving the existing ones intact and
> then a few months later the existing links be removed completely.


There are many reasons for not hosting packages and distributions
on PyPI itself.

If you use and trust a package, you also have to know and trust its
dependencies, no matter where they are hosted, so you're not gaining
any security by disabling links to other download locations: if
you don't trust the way a package is hosted, you don't use it; if
you do, then removing the link breaks the package and all its

Instead of suggesting to removing support for externally hosted packages,
why not propose a mechanism to provide a more direct/secure way to
reference them ?

Marc-Andre Lemburg

Professional Python Services directly from the Source  (#1, Feb 26 2013)
>>> Python Projects, Consulting and Support ...   http://www.egenix.com/
>>> mxODBC.Zope/Plone.Database.Adapter ...       http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/

::::: Try our mxODBC.Connect Python Database Interface for free ! ::::::

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611
Catalog-SIG mailing list

Reply via email to