On Feb 6, 2013, at 7:22 PM, [email protected] wrote:
> > Zitat von Jacob Kaplan-Moss <[email protected]>: > >> On Wed, Feb 6, 2013 at 5:45 PM, <[email protected]> wrote: >>> I see. Still, it's not a problem at the moment; "python.org" does not issue >>> cookies. Even for the new site, it should be possible to find a secure >>> solution >>> that doesn't involve shutting down packages.python.org. >> >> Sadly, the only "secure solution" would be to not issue cookies, i.e. >> have no login components, and that's not what's required of the new >> site. > > Why is that? If the issue is for "www.python.org", then packages.python.org > cannot steal it, can it? > >> So something's gotta give here. Our options are basically: >> >> * Don't launch the new site as spec'd; revise the scope to be >> completely static and have no login components. >> >> * Make packages.python.org strip javascript and quite possibly certain >> HTML as well (I think it has to strip forms to prevent CSRF, but I >> haven't thought that through completely). >> >> * Move packages.python.org to a new TLD. > > There are certainly more options: > - don't use cookies 1: use basic auth instead > - don't use cookies 2: use TLS session IDs instead > - don't use cookies 3: use X.509 certificates instead > - move the login site to a new TLD (e.g. python-cms.org) > > I'm not saying that all these options are practical, I'm just pointing > out that there are definitely more than the three you've mentioned. > > "Move to a new TLD" is much better than "tell people to go elsewhere", > though. > > Regards, > Martin > We're talking about moving packages.python.org to a new TLD, not the main site. Moving the main site/content editing from the main site to protect against the insecure, unspecified content we're allowing them to upload to pypi for docs is a non starter. > _______________________________________________ > Catalog-SIG mailing list > [email protected] > http://mail.python.org/mailman/listinfo/catalog-sig _______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
