Zitat von Jacob Kaplan-Moss <[email protected]>:
On Wed, Feb 6, 2013 at 5:45 PM, <[email protected]> wrote:
I see. Still, it's not a problem at the moment; "python.org" does not issue
cookies. Even for the new site, it should be possible to find a secure
solution
that doesn't involve shutting down packages.python.org.
Sadly, the only "secure solution" would be to not issue cookies, i.e.
have no login components, and that's not what's required of the new
site.
Why is that? If the issue is for "www.python.org", then packages.python.org
cannot steal it, can it?
So something's gotta give here. Our options are basically:
* Don't launch the new site as spec'd; revise the scope to be
completely static and have no login components.
* Make packages.python.org strip javascript and quite possibly certain
HTML as well (I think it has to strip forms to prevent CSRF, but I
haven't thought that through completely).
* Move packages.python.org to a new TLD.
There are certainly more options:
- don't use cookies 1: use basic auth instead
- don't use cookies 2: use TLS session IDs instead
- don't use cookies 3: use X.509 certificates instead
- move the login site to a new TLD (e.g. python-cms.org)
I'm not saying that all these options are practical, I'm just pointing
out that there are definitely more than the three you've mentioned.
"Move to a new TLD" is much better than "tell people to go elsewhere",
though.
Regards,
Martin
_______________________________________________
Catalog-SIG mailing list
[email protected]
http://mail.python.org/mailman/listinfo/catalog-sig
