On Fri, Jun 18, 2010 at 10:57 AM, Ian Bicking <[email protected]> wrote:
> On Fri, Jun 18, 2010 at 4:10 AM, M.-A. Lemburg <[email protected]> wrote: > >> > If you think the package owner is opening up a security threat by >> > including the links in the first place - yes, that's indeed a risk. >> >> Is this feature still needed for setuptools ? >> > > It's fairly regularly used to link to repositories, e.g., I might put this > text in a description: > > To install `the tip tarball < > http://bitbucket.org/ianb/webob/get/tip.gz#egg=webob-dev>`_ use ``pip > install webob==dev`` > It should be noted, though, that these links must be self-describing, with #egg in this case, or with a URL that is more obviously self describing like http://example.com/nightlies/webob-nightly.tar.gz -- the problems people are describing here are with fetching other pages and scanning them for links. If I remember correctly homepage and download_url are fetched and scanned for links, and those cause all the problems (especially homepage, as download_url tends to point to something simpler and more reliable). A simple security hole would be having a homepage that is a wiki -- anyone could edit the wiki and put up a link to a trojan package and it could get found and installed. -- Ian Bicking | http://blog.ianbicking.org
_______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
