On Thursday, February 28, 2013 at 10:13 AM, Noah Kantrowitz wrote: > Reponding from my phone quickly before this gets any further, will write more > later. Plan is to have pypi move package download links to a new hostname > (probably pypi-download.python.org (http://pypi-download.python.org)) and > then throw that behind fastly. This sidesteps 100% of issues with dynamic > pages, etc. Simple index with be handled secondarily. Just an aside, can we use a pythonhosted.org domain, like https://packages.pythonhosted.org/ or something?
That will prevent gifar like attacks where someone finds a way to create a file that both looks like a valid file to PyPI, but that browsers will interpret as something executable. Or rather it prevents it from being able to attack *.python.org.
_______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
