[Catalog-sig] Proposal: close the PyPI file-replacement loophole
Donald Stufft
donald.stufft at gmail.com
Wed Feb 1 00:43:56 CET 2012
I don't think anyone is arguing that it's not occasionally useful. The question to answer is the occasional usefulness worth the risks that come with it. In my opinion the small utility (being able to correct a borked packaging job) is not worth the risks to both my applications stability, and the security of my entire system.
On Tuesday, January 31, 2012 at 5:53 PM, Michael Foord wrote:
>
>
> On 29 January 2012 23:47, Richard Jones <r1chardj0n3s at gmail.com (mailto:r1chardj0n3s at gmail.com)> wrote:
> > Hi catalog-sig,
> >
> > When we initially implemented file upload to PyPI it was our intention
> > that the file be immutable once uploaded. The goal was to make things
> > significantly simpler for end users - there would only ever be one
> > file with a given name. If the content changed then so must the name
> > (typically by creating a new release version.)
> >
> > After the upload facility was put in place we also added the ability
> > to delete files uploaded to pypi. This created a loophole: if a
> > package owner knew how to they could delete the file and re-upload,
> > thus circumventing the replacement protection.
> >
> > I'm considering closing this loophole by retaining a record of the
> > uploaded file (though not the contents) so that future uploads with
> > the same name wouldn't be allowed. I understand that this is how the
> > ruby gem archive handles deletion of files.
> >
> > Your thoughts?
>
>
> FWIW I've occasionally found it useful to be able to delete uploads and replace them, so I'm -1 on losing this capability.
>
> All the best,
>
> Michael
>
> >
> >
> > Richard
> > _______________________________________________
> > Catalog-SIG mailing list
> > Catalog-SIG at python.org (mailto:Catalog-SIG at python.org)
> > http://mail.python.org/mailman/listinfo/catalog-sig
>
>
>
> --
> http://www.voidspace.org.uk/
>
> May you do good and not evil
> May you find forgiveness for yourself and forgive others
> May you share freely, never taking more than you give.
> -- the sqlite blessing http://www.sqlite.org/different.html
> _______________________________________________
> Catalog-SIG mailing list
> Catalog-SIG at python.org (mailto:Catalog-SIG at python.org)
> http://mail.python.org/mailman/listinfo/catalog-sig
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20120131/6e942316/attachment.html>
More information about the Catalog-SIG
mailing list