On 11 April 2018 at 20:16, Dwight Hubbard <dhubb...@oath.com> wrote: > It would be useful as well for sites that run their own mirror > infrastructure to be able to add motd text to the pip commands as well. > > However I don't think this should be implemented via the response code from > a call to some rest api. It would be trivial to proxy the call to a > different location and send a different message. Any implementation would > need some way to sign and verify the message as authentic.
-1 on explicit signing and verification of messages. The infrastructure needed for that is more than the feature warrants. HTTPS access to the index server is fundamental to pip - if an attacker can subvert that, they don't need to mess with a message, they can just replace packages. So I don't see that displaying a message that's available from that same index server is an additional vulnerability, surely? But I'm not a security expert - I'd defer to someone like Donald to comment on the security aspects of any proposal here. Paul _______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
