Following up all the remarks, in Distutils-SIG and here, here's a new
proposal
- add a new POST API that differs from file_upload, called /bootstrap_upload
This new API will slightly differ from file_upload for these:
- it won't auto-register the release in case it does not exists
- the filename will be a fixed name : <PROJECT>-bootstrap-[version].py -
with the symlinking story Richard explained
- PyPI will reject files not matching this name (but I wonder if we
shouldn't allow other extensions like .sh)
Files will be stored under :
https://pypi.python.org/packages/bootstrap/<P>/<PACKAGE>/<PROJECT>-bootstrap-[version].py
example:
https://pypi.python.org/packages/bootstrap/d/distribute/distribute-bootstrap.py
As for the whilelist thing, I wonder if it necessary: a fake project
like "DjangoInstaller" is already
able to do all kind of damages with its setup when people are trying to
install it.
I mean :
$ pip install DjangoInstaller
Looks completely legit to me, unfortunately... So until we catch that
fish, damage can already be done.
Now for people clicking on a link, that can happen on *any* url. I mean,
I can try a fishing attack with a link
on my domain.
Or I can tell people to "easy_install SOME_URL_ON_PYPI", pointing to a
tarball...
If we want to have a more robust system here, we'd need to deeply
rethink how PyPI works wrt identity of
packages uploaders.
Cheers
Tarek
--
Tarek Ziadé · http://ziade.org · @tarek_ziade
_______________________________________________
Catalog-SIG mailing list
Catalog-SIG@python.org
http://mail.python.org/mailman/listinfo/catalog-sig
