[Catalog-sig] Fwd: readthedocs.org or packages.python.org?
martin at v.loewis.de
martin at v.loewis.de
Thu Feb 7 01:22:29 CET 2013
Zitat von Jacob Kaplan-Moss <jacob at jacobian.org>:
> On Wed, Feb 6, 2013 at 5:45 PM, <martin at v.loewis.de> wrote:
>> I see. Still, it's not a problem at the moment; "python.org" does not issue
>> cookies. Even for the new site, it should be possible to find a secure
>> solution
>> that doesn't involve shutting down packages.python.org.
>
> Sadly, the only "secure solution" would be to not issue cookies, i.e.
> have no login components, and that's not what's required of the new
> site.
Why is that? If the issue is for "www.python.org", then packages.python.org
cannot steal it, can it?
> So something's gotta give here. Our options are basically:
>
> * Don't launch the new site as spec'd; revise the scope to be
> completely static and have no login components.
>
> * Make packages.python.org strip javascript and quite possibly certain
> HTML as well (I think it has to strip forms to prevent CSRF, but I
> haven't thought that through completely).
>
> * Move packages.python.org to a new TLD.
There are certainly more options:
- don't use cookies 1: use basic auth instead
- don't use cookies 2: use TLS session IDs instead
- don't use cookies 3: use X.509 certificates instead
- move the login site to a new TLD (e.g. python-cms.org)
I'm not saying that all these options are practical, I'm just pointing
out that there are definitely more than the three you've mentioned.
"Move to a new TLD" is much better than "tell people to go elsewhere",
though.
Regards,
Martin
More information about the Catalog-SIG
mailing list