On Mon, Apr 9, 2018 at 11:28 AM Donald Stufft wrote:
>
> > On Apr 9, 2018, at 1:33 PM, Erik Bray wrote:
> >
> > On Fri, Apr 6, 2018 at 11:36 PM, Chris Jerdonek
> > wrote:
> >>
> >> On Fri, Apr 6, 2018 at 11:21 AM Donald Stufft wrote:
> >>>
> >>> No, there’s not. pip makes HTTP requests and there’s no place for extra
> >>> metadata attached those requests except in the HTTP status code (which
> as
> >>> you noted, pip swallows by default because historically we didn’t know
> if
> >>> the URL was expected to work or not). The simple API wasn’t really
> designed,
> >>> it evolved out of the primordial ooze.
> >>
> >>
> >> Would it make sense to open an issue for future versions of pip to allow
> >> such metadata to be attached and displayed, or is there already such an
> >> issue?
> >
> > I was going to suggest the same--while it would be too late to help in
> > this particular case (and as Donald already convincingly it explained
> > it probably won't have huge impact), this case, others I can think of
> > before it, and others that are likely to occur in the future would
> > have been well-served by the ability of PyPI administrators to set
> > arbitrary broadcast messages (a MotD if you will) to send along with
> > HTTP responses from PyPI (they could even go in an HTTP header,
> > perhaps).
> >
> > Best,
> > E
>
> It wouldn’t be a pip issue, it’d be a distutils-sig discussion and an
> amendment to PEP 503. The primary concern would be that as we move to a
> world where metadata is signed to prevent a malicious repository from
> attacking users, that this is another avenue that an attacker could take to
> trick end users (imagine a MOTD that says to pip install malicious-package).
>
> That doesn’t make it impossible, or a bad idea though! It just is
> something to consider, and the best avenue is distutils-sig.
I raised this suggestion on distutils-sig, FYI:
https://mail.python.org/pipermail/distutils-sig/2018-April/032141.html
—Chris