[Catalog-sig] Fwd: readthedocs.org or packages.python.org?
Jesse Noller
jnoller at gmail.com
Thu Feb 7 01:30:56 CET 2013
On Feb 6, 2013, at 7:22 PM, martin at v.loewis.de wrote:
>
> Zitat von Jacob Kaplan-Moss <jacob at jacobian.org>:
>
>> On Wed, Feb 6, 2013 at 5:45 PM, <martin at v.loewis.de> wrote:
>>> I see. Still, it's not a problem at the moment; "python.org" does not issue
>>> cookies. Even for the new site, it should be possible to find a secure
>>> solution
>>> that doesn't involve shutting down packages.python.org.
>>
>> Sadly, the only "secure solution" would be to not issue cookies, i.e.
>> have no login components, and that's not what's required of the new
>> site.
>
> Why is that? If the issue is for "www.python.org", then packages.python.org
> cannot steal it, can it?
>
>> So something's gotta give here. Our options are basically:
>>
>> * Don't launch the new site as spec'd; revise the scope to be
>> completely static and have no login components.
>>
>> * Make packages.python.org strip javascript and quite possibly certain
>> HTML as well (I think it has to strip forms to prevent CSRF, but I
>> haven't thought that through completely).
>>
>> * Move packages.python.org to a new TLD.
>
> There are certainly more options:
> - don't use cookies 1: use basic auth instead
> - don't use cookies 2: use TLS session IDs instead
> - don't use cookies 3: use X.509 certificates instead
> - move the login site to a new TLD (e.g. python-cms.org)
>
> I'm not saying that all these options are practical, I'm just pointing
> out that there are definitely more than the three you've mentioned.
>
> "Move to a new TLD" is much better than "tell people to go elsewhere",
> though.
>
> Regards,
> Martin
>
We're talking about moving packages.python.org to a new TLD, not the main site. Moving the main site/content editing from the main site to protect against the insecure, unspecified content we're allowing them to upload to pypi for docs is a non starter.
> _______________________________________________
> Catalog-SIG mailing list
> Catalog-SIG at python.org
> http://mail.python.org/mailman/listinfo/catalog-sig
More information about the Catalog-SIG
mailing list