[Catalog-sig] Hosting documentation on PyPI
Ian Bicking
ianb at colorstudy.com
Wed Aug 6 18:15:02 CEST 2008
Martin v. Löwis wrote:
> I'd like to start offering to host web pages on PyPI,
> primarily for the purpose of documentation. Users would
> upload a tar.gz file into PyPI, which would unpack it,
> and make it available as /doc/<package>/<version>.
>
> To prevent this from being spammed, restrictions on
> posting documentation would be established:
> - only approved users may post documentation, approval
> can be obtained by submitting a support request into
> the PyPI tracker.
> - only static pages are supported, no includes, no
> directory listings, just plain files.
>
> What do you think?
I like the idea.
There's an XSS concern if users can upload arbitrary HTML. Approval
would address some of that, but it might be better to avoid the issue
altogether.
One way to handle that would be to host each package's documentation on
a different domain. E.g., package.pypi.python.org.
Another option is using an HTML scrubber. But removing Javascript would
be unfortunate in this case as there's a lot of good uses of it, so
multiple domains would be better IMHO.
If implemented I think all existing packages could be approved, which
would greatly reduce the approval queue.
--
Ian Bicking : ianb at colorstudy.com : http://blog.ianbicking.org
More information about the Catalog-SIG
mailing list