> On May 16, 2015, at 9:31 PM, Ben Finney <ben+pyt...@benfinney.id.au> wrote: > > Donald Stufft <don...@stufft.io> writes: > >> Ok, so unless someone comes out against this in the near future here are my >> plans: >> >> 1. Implement the ability to delete documentation. > > +1. > >> 2. Implement the ability to add a (simple) redirect where we would >> essentially just send /<project>/(.*) to $REDIRECT_BASE/$1. >> >> 3. Implement the ability to point the documentation URL to something >> that isn't pythonhosted.org > > Both of these turn PyPI into a vector for arbitrary content, including > (for example) illegal, misleading, or malicious content. > > Automatic redirects actively expose the visitor to any malicious or > mistaken links set by the project owner. > > If you want to allow the documentation to be at some arbitrary location > of the project owner's choice, then an explicit static link, which the > visitor must click on (similar to the project home page link) is best. >
To be clear, the documentation isn’t hosted on PyPI, it’s hosted on pythonhosted.org and we already allow people to upload arbitrary content to that domain, which can include JS based redirects. --- Donald Stufft PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
