[Catalog-sig] Proposal: close the PyPI file-replacement loophole
Yuval Greenfield
ubershmekel at gmail.com
Wed Feb 1 10:01:49 CET 2012
On Wed, Feb 1, 2012 at 10:36 AM, Chris Withers <chris at simplistix.co.uk>wrote:
> On 01/02/2012 07:12, Yuval Greenfield wrote:
>
>> +1 on removing this security loophole in any of the ways suggested here.
>>
>
> Good grief, it's not a "security loophole".
>
> If you actually cared about security, you'd already be using, recording
> and checking the MD5 checksums provided with each download and would
> already know that this isn't a security loophole.
>
> If you're not, then quit with the security theater.
>
> cheers,
>
>
Would you testify that HTTP is secure because I can emulate TLS in
javascript?
PyPI should do what it can within reason to be consistent and safe for all
its users. We're talking about a standard best practice for sites with user
generated content. The original API was aware of this best practice and a
loophole was eventually introduced. Please do read the OP.
"Cheers",
Yuval
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20120201/edc251b7/attachment.html>
More information about the Catalog-SIG
mailing list