A MOTD from anything but a signed package would be user-supplied input.
Shell/terminal command ^[escaping would be necessary:
https://stackoverflow.com/questions/6534556/how-to-remove-and-all-of-the-escape-sequences-in-a-file-using-linux-shell-sc
Impact:
Are additional requests and variable
FYI: TUF has a custom metadata field in the targets metadata that could
potentially be used for this purpose. We can explain more if there is
interest...
On Thu, Apr 12, 2018 at 8:26 AM, Nathaniel Smith wrote:
> From the TUF perspective it seems like it would be straightforward
>From the TUF perspective it seems like it would be straightforward to make
the MOTD a "package", whose "contents" is the MOTD text, and that we
"upgrade" it to get the latest text before displaying anything.
-n
On Thu, Apr 12, 2018, 05:10 Nick Coghlan wrote:
> On 12 April
It would be useful as well for sites that run their own mirror
infrastructure to be able to add motd text to the pip commands as well.
However I don't think this should be implemented via the response code from
a call to some rest api. It would be trivial to proxy the call to a
different
On 12 April 2018 at 07:01, Paul Moore wrote:
> HTTPS access to the index server is fundamental to pip - if an
> attacker can subvert that, they don't need to mess with a message,
> they can just replace packages. So I don't see that displaying a
> message that's available
On 11 April 2018 at 20:16, Dwight Hubbard wrote:
> It would be useful as well for sites that run their own mirror
> infrastructure to be able to add motd text to the pip commands as well.
>
> However I don't think this should be implemented via the response code from
> a call
On Mon, Apr 9, 2018, 16:47 Chris Jerdonek wrote:
>
> One of Donald's comments in response to the idea (and that occurred to
> me too and that I agree with) is that providing a way to communicate
> messages to users introduces another possible avenue for attack.
I
On 11 April 2018 at 17:32, Pradyun Gedam wrote:
> On Tue, 10 Apr 2018, 05:17 Chris Jerdonek, wrote:
[...]
>> A possible middle-ground could be to hard-code a message in pip. Pip
>> could display the message in certain circumstances, e.g. in response
On Tue, 10 Apr 2018, 05:17 Chris Jerdonek, wrote:
> On the pypa-dev Google group, a suggestion was raised about giving pip
> a way to communicate extra info to users.
>
> This was during a thread started by Matthew Brett about pip breaking
> for certain macOS users due
On the pypa-dev Google group, a suggestion was raised about giving pip
a way to communicate extra info to users.
This was during a thread started by Matthew Brett about pip breaking
for certain macOS users due to certain TLS changes ("Impending silent
breakage of pip / macOS likely to cause
10 matches
Mail list logo