On Thu, Feb 14, 2013 at 5:43 PM, PJ Eby <p...@telecommunity.com> wrote: > On Thu, Feb 14, 2013 at 5:10 PM, Nick Coghlan <ncogh...@gmail.com> wrote: >> I'm more concerned about phishing style attacks. I don't want the PyPI >> admins to have to start scanning for hostile names like "distirbute". > > I'm not sure what you mean. These things exist only for the > corresponding package (buildout, setuptools, or distribute), and > aren't downloaded from any other project. Generally, they are > downloaded either by 1) a human, or 2) another tool that wants to > support installation in the absence of a pre-existing setuptools or > distribute installation (mainly zc.buildout AFAIK). > > (Or are you saying that somebody might upload a project called, say, > "distribute_", and try to trick people into downloading it? I'm not > sure how that's a threat that can be defended against in any event.) > >> So how often do the bootstrap files change? > > Setuptools releases an updated version with each new release, as it > contains an MD5 signature for downloading the new release. I *think* > distribute does the same. Not so sure about buildout.
Buildout does not. So it's bootstrap file doesn't change very often. Jim -- Jim Fulton http://www.linkedin.com/in/jimfulton Jerky is better than bacon! http://zo.pe/Kqm _______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
