[Catalog-sig] Proposal: close the PyPI file-replacement loophole
Yuval Greenfield
ubershmekel at gmail.com
Wed Feb 1 15:52:43 CET 2012
On Wed, Feb 1, 2012 at 4:29 PM, Antoine Pitrou <solipsis at pitrou.net> wrote:
> Yuval Greenfield <ubershmekel <at> gmail.com> writes:
> >
> > Obviously this isn't the only problem if the account of an SQLAlchemy
> > maintainer is compromised - other threats can manifest as well.
>
> So, why you think PyPI has to have protections against the hacking of
> maintainers' accounts is beyond me. That's a completely unreasonable
> expectation.
>
> Besides, being able to delete a release is mandatory (imagine you have
> uploaded
> confidential files by mistake).
>
>
The original proposal was "retaining a record of the uploaded file (though
not the contents) so that future uploads with the same name wouldn't be
allowed."
It sounds like you would be happy with that proposal.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20120201/06f70efc/attachment-0001.html>
More information about the Catalog-SIG
mailing list