On Wednesday, February 6, 2013 at 7:02 PM, Jacob Kaplan-Moss wrote: > On Wed, Feb 6, 2013 at 5:45 PM, <mar...@v.loewis.de > (mailto:mar...@v.loewis.de)> wrote: > > I see. Still, it's not a problem at the moment; "python.org > > (http://python.org)" does not issue > > cookies. Even for the new site, it should be possible to find a secure > > solution > > that doesn't involve shutting down packages.python.org > > (http://packages.python.org). > > > > > Sadly, the only "secure solution" would be to not issue cookies, i.e. > have no login components, and that's not what's required of the new > site. > > So something's gotta give here. Our options are basically: > > * Don't launch the new site as spec'd; revise the scope to be > completely static and have no login components. > > * Make packages.python.org (http://packages.python.org) strip javascript and > quite possibly certain > HTML as well (I think it has to strip forms to prevent CSRF, but I > haven't thought that through completely). > >
This is pretty hard, basically no javascript, whitelist certain elements, etc. You essentially take a lot of the value of packages.python.org out of packages.python.org all so you can type packages.python.org instead of python-packages.org (or RTD!). > > * Move packages.python.org (http://packages.python.org) to a new TLD. > > Since I've got an obvious financial incentive -- I'm being paid to > build the new site -- I'll stay out of advocating. But as long as > *.python.org (http://python.org) allows arbitrary HTML and Javascript > uploads, it makes > the main site itself quite easily hackable. > > Jacob
_______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
