On Aug 6, 2013, at 3:15 AM, mar...@v.loewis.de wrote: > > Quoting Nick Coghlan <ncogh...@gmail.com>: > >> On 6 August 2013 16:09, Christian Theune <c...@gocept.com> wrote: >>> Hi, >>> >>> >>> looks like I'm late to the party to figure out that I'm going to be hurt >>> again. >> >> That's why I asked for this to be put through the PEP process: to give >> it more visibility, and provide more opportunity for people >> potentially affected to have a chance to comment and offer >> alternatives. Giving third parties the opportunity to read python.org >> cookies indefinitely isn't an option. > > Define "third party". There are a number of organisations other than the > PSF that can read python.org cookies. > > As Noah explains, it's a matter of trust. Noah chooses to trust Fastly, > I choose to trust Christian Theune. We both have then imposed our trust > on the community.
Sure, but there's also a matter of the *number* of people trusted each new person to trust is another potential pain point. There's really no requirement to have the mirrors hosted on N.pypi.python.org. The fact they do is a legacy issue that can be corrected with a much better story for reliability and security. > > In any case, I consider the cookie issue a red herring. Mirror operators > could only steal cookies if users actually pointed their web browsers to > the mirrors. They typically don't, since they use setuptools or pip, > which doesn't even have access to the cookies. And, if a mirror operator > actually does request cookies, there is a high risk in being caught in > doing so. If that happens, the mirror operator will not only lose the mirror, > but also lose community trust. The cookie issue is very serious because it does not require someone to knowingly point their browser at N.pypi.python.org. A mirror operator could simply inline an image tag in a package, someone views the package page, and automatically makes a request to N.pypi.python.org which is sent the cookie and a script on N.pypi.python.org can read it. Also the claim that there is a high risk in being caught, there isn't really. It would be very easily to do this near silently. > > Regards, > Martin > > > _______________________________________________ > Distutils-SIG maillist - Distutils-SIG@python.org > http://mail.python.org/mailman/listinfo/distutils-sig ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org http://mail.python.org/mailman/listinfo/distutils-sig