On Wed, Feb 6, 2013 at 5:45 PM, <[email protected]> wrote: > I see. Still, it's not a problem at the moment; "python.org" does not issue > cookies. Even for the new site, it should be possible to find a secure > solution > that doesn't involve shutting down packages.python.org.
Sadly, the only "secure solution" would be to not issue cookies, i.e. have no login components, and that's not what's required of the new site. So something's gotta give here. Our options are basically: * Don't launch the new site as spec'd; revise the scope to be completely static and have no login components. * Make packages.python.org strip javascript and quite possibly certain HTML as well (I think it has to strip forms to prevent CSRF, but I haven't thought that through completely). * Move packages.python.org to a new TLD. Since I've got an obvious financial incentive -- I'm being paid to build the new site -- I'll stay out of advocating. But as long as *.python.org allows arbitrary HTML and Javascript uploads, it makes the main site itself quite easily hackable. Jacob _______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
