On 12.03.2013 16:42, Jacob Kaplan-Moss wrote: > On Tue, Mar 12, 2013 at 10:38 AM, PJ Eby <[email protected]> wrote: >> I'll ask it again: why should *thousands* of projects be censored or >> made to change their release processes, because *you* can't be >> bothered to cache the distributions of the projects you depend on? > > Because externally-hosted files are a security risk, one that most > users don't realize exists. > > We can either fix this problem now, or we can wait until someone is > compromised using PyPI as a vector.
We can fix this problem, yes, but we need to do this right and try not to break things. I don't see the need to rush this, just to address some perceived high risk. Files hosted on PyPI are just as risky to use as files on any other server. The only way to minimize the risk is by downloading all the packages you need, do reviews of all of them and each time a new release is published. If you then point your installers only to the repository where you keep your reviewed files, then you can feel safer. In reality, this doesn't happen, though, so a lot of the stuff we're talking about here is security theater, no matter how much crypto/signing/hashing/hosting/CDN we throw at it :-) So let's do this carefully and find a good solution before jumping to conclusions. -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Mar 12 2013) >>> Python Projects, Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ ::::: Try our mxODBC.Connect Python Database Interface for free ! :::::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ _______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
