On 11 April 2018 at 20:16, Dwight Hubbard <dhubb...@oath.com> wrote:
> It would be useful as well for sites that run their own mirror
> infrastructure to be able to add motd text to the pip commands as well.
> However I don't think this should be implemented via the response code from
> a call to some rest api.  It would be trivial to proxy the call to a
> different location and send a different message.  Any implementation would
> need some way to sign and verify the message as authentic.

-1 on explicit signing and verification of messages. The
infrastructure needed for that is more than the feature warrants.

HTTPS access to the index server is fundamental to pip - if an
attacker can subvert that, they don't need to mess with a message,
they can just replace packages. So I don't see that displaying a
message that's available from that same index server is an additional
vulnerability, surely? But I'm not a security expert - I'd defer to
someone like Donald to comment on the security aspects of any proposal

Distutils-SIG maillist  -  Distutils-SIG@python.org

Reply via email to