On 11/4/18 5:38 PM, Steven D'Aprano wrote: > On Sun, Nov 04, 2018 at 12:16:14PM -0500, Ned Deily wrote: > >> On Nov 4, 2018, at 12:04, Paul Ganssle <p...@ganssle.io> wrote: >> >>> Some of the concerns about increasing the surface area I think are a >>> bit overblown. I haven't seen any problems yet in the projects that >>> do this, > You may or may not be right, but have you looked for problems or just > assumed that because nobody has brought any to your attention, they > don't exist? > > "I have seen nothing" != "there is nothing to see". > I can only speak from my experience with setuptools, but I do look at every setuptools PR and I've never seen anything even close to this. That said, I have also never seen anyone using my Travis or Appveyor instances to mine cryptocurrency, but I've been told that that happens.
In any case, I think the standard should not be "this never happens" (otherwise you also can't run CI), but that it happens rarely enough that it's not a major problem and that you can deal with it when it does come up. Frankly, I think the much more likely target for these sorts of attacks is small, mostly abandoned projects with very few followers. If you post a spam site on some ephemeral domain via the CPython CI, it's likely that hundreds of people will notice it just because it's a very active project. You will be banned from the project for life and probably reported to github nearly instantly. Likely you have much more value for your time if you target some 1-star repo that set this up 2 years ago and is maintained by someone who hasn't committed to github in over a year. That said, big projects like CPython are probably more likely to attract the troll version of this, where the point isn't to get away with hosting some content or using the CI, but to annoy and disrupt the project itself by wasting our resources chasing down spam or whatever. I think if that isn't already happening with comment floods on the issue tracker, GH threads and mailing lists, it's not especially /more/ likely to happen because people can spin up a website with a PR. >>> and I don't think it lends itself to abuse particularly >>> well. Considering that the rest of the CI suite lets you run >>> arbitrary code on many platforms, I don't think it's particularly >>> more dangerous to allow people to generate ephemeral static hosted >>> web sites as well. >> The rest of the CI suite does not let you publish things on the >> python.org domain, unless I'm forgetting something; they're clearly >> under a CI environment like Travis or AppVeyor or Azure. That's >> really my main concern. > Sorry Ned, I don't follow you here. It sounds like you're saying that > you're fine with spam or abusive content being hosted in our name, so > long as its hosted by somebody else, rather than by us (python.org) > ourselves. > > I trust I'm missing something, but I don't know what it is. I think there are two concerns - one is that the python.org domain is generally (currently) used for official content. If people can put arbitrary websites on there, presumably they can exploit whatever trust people have put into this fact. Another is that - and I am not a web expert here - I think that the domain where content is hosted is used as a marker of trust between different pages, and many applications will consider anything on *.python.org to be first-party content from other *.python.org domains. I believe this is the reason why readthedocs moved all hosted documentation from *.readthedocs.org to *.readthedocs.io. Similarly user-submitted content on PyPI is usually hosted under the pythonhosted.org domain, not pypi.org or pypi.python.org. You'll notice that GH also hosts user content under a githubusercontent.org domain.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com