"Martin v. Löwis" wrote: > Am 17.06.2010 15:16, schrieb M.-A. Lemburg: >> Benji York wrote: >>> On Thu, Jun 17, 2010 at 7:40 AM, M.-A. Lemburg<[email protected]> wrote: >>>> http://pypi.python.org/simple/zc.buildout/ >>>> >>>> BTW: what are all those bug links doing on the zc.buildout index page ? >>> >>> PyPI scrapes all the links from the long description; for many projects >>> that includes a change log with links to fixed bugs. >> >> Isn't that dangerous ? >> >> AFAIK, setuptools would start opening all those URLs and might >> find download files which are not necessarily under full control of >> the author, e.g. anyone could add a comment to a bug report or >> wiki page with a link to an egg file on some rogue server. > > I think you misunderstand. Links originate *only* from the long > description. The package owner has full control over that.
I was referring to the linked assets that the package owner may not have full control over, e.g. in the above case, you have links pointing to launchpad and one to "file://". Such links (except the file:// one) can be useful in the package description, e.g. to point to a bug tracking system, documentation or other resources, but they are not really needed to point setuptools to download locations. > If you think the package owner is opening up a security threat by > including the links in the first place - yes, that's indeed a risk. Is this feature still needed for setuptools ? We have download URLs and homepage URLs which should be enough for setuptools to search and find the links to package download files. If it's no longer needed, then it'd be safer not to include the long description links on the /simple index pages anymore. -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Jun 18 2010) >>> Python/Zope Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ 2010-07-19: EuroPython 2010, Birmingham, UK 30 days to go ::: Try our new mxODBC.Connect Python Database Interface for free ! :::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ _______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
