This isn't something automated tools are supposed to discover right? They previously know where it exists? Why does it need to be on PyPI at all? Seems like for this unusual case just keeping it someplace sane that has a good SSL cert seems like an obvious solution? Github or Bitbucket or whatever?
I''m personally alright with having it special cased or something though. On Thursday, February 14, 2013 at 5:10 PM, Nick Coghlan wrote: > > On 15 Feb 2013 05:50, "Tarek Ziadé" <[email protected] > (mailto:[email protected])> wrote: > > > > On 2/14/13 8:37 PM, Donald Stufft wrote: > >> > >> On Thursday, February 14, 2013 at 2:28 PM, Tarek Ziadé wrote: > >>> > >>> Hello > >>> > >>> Some tools (setuptools, distribute, zope, pip) use bootstrap files to > >>> get installed, > >>> > >>> In order to have a more secured installation process, we'd like to be > >>> able to push those files on PyPI so people can download them through > >>> https using the PSF certificate. > >>> > >>> As Phillip Eby noticed, that requires changing this method > >>> https://bitbucket.org/loewis/pypi/src/f18ce0fbe947c1ce778761ea81d6704572cebb24/webui.py?at=default#cl-2233 > >>> > >>> by: > >>> > >>> - allowing .py extensions, > >>> - allowing arbitrary file names when they have the .py extension > >> > >> Arbitrary file names is a bad idea imo. What's to stop me from uploading > >> setup_distribute.py and linking to it as if it was distribute_setup.py and > >> installing a malware'd distribute. > > > > > > If you can upload in that location, it means you are a legit > > owner/maintainer of the project AFAIK > I'm more concerned about phishing style attacks. I don't want the PyPI admins > to have to start scanning for hostile names like "distirbute". > So how often do the bootstrap files change? > If relatively frequently, I would prefer this to be a project-specific > privilege granted by the PyPI admins (at least for now). > If rarely, then I'd be happy enough if the update process required PyPI admin > involvement (the project whitelist is probably a better idea, though). > Cheers, > Nick. > > > > > > > > > > > > -- > > Tarek Ziadé · http://ziade.org · @tarek_ziade > > > > > > _______________________________________________ > > Catalog-SIG mailing list > > [email protected] (mailto:[email protected]) > > http://mail.python.org/mailman/listinfo/catalog-sig > >
_______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
