On July 24, 2014 at 6:40:47 AM, Vladimir Diaz (vladimir.v.d...@gmail.com) wrote:
In metadata 2.0 even with package signing you end up where I can have you
install “django-foobar” which depends on “FakeDjango”, which provides “Django”,
and then for all intents and purposes you have a “Django” package installed.
Can you go into more detail? Particularly, the part where "FakeDjango"
provides Django.
Richard Jones mentions the case where an external index provides an "updated
release" and tricks the updater into installing a compromised "Django." Is
this the same thing?
No it’s not the same thing. Metadata 2.0 provides mechanisms for one package to
claim to be another package. This only takes affect once that package has been
installed though. This functionality allows things like a package to provide a
compatible shim that uses different internal guts, or for one package to
obsolete another or even for multiple packages to “provide” the same thing and
allow the user to select which one they want to use at install time.
--
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
_______________________________________________
Distutils-SIG maillist - Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig
