On Thursday, February 14, 2013 at 2:28 PM, Tarek Ziadé wrote: > Hello > > Some tools (setuptools, distribute, zope, pip) use bootstrap files to > get installed, > > In order to have a more secured installation process, we'd like to be > able to push those files on PyPI so people can download them through > https using the PSF certificate. > > As Phillip Eby noticed, that requires changing this method > https://bitbucket.org/loewis/pypi/src/f18ce0fbe947c1ce778761ea81d6704572cebb24/webui.py?at=default#cl-2233 > > by: > > - allowing .py extensions, > - allowing arbitrary file names when they have the .py extension > >
Arbitrary file names is a bad idea imo. What's to stop me from uploading setup_distribute.py and linking to it as if it was distribute_setup.py and installing a malware'd distribute. > > Any objection if I provide a pull request for this ? > > Cheers > Tarek > > -- > Tarek Ziadé · http://ziade.org · @tarek_ziade > > _______________________________________________ > Catalog-SIG mailing list > [email protected] (mailto:[email protected]) > http://mail.python.org/mailman/listinfo/catalog-sig > >
_______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
