[Catalog-sig] Allowing the upload of .py files at PyPI
Nick Coghlan
ncoghlan at gmail.com
Thu Feb 14 23:54:38 CET 2013
On 15 Feb 2013 08:38, "Donald Stufft" <donald.stufft at gmail.com> wrote:
>
> On Thursday, February 14, 2013 at 5:34 PM, M.-A. Lemburg wrote:
>>
>> I don't follow the reasoning here. What's the difference between
>> uploading a .py file and a .tar.gz file ?
>>
>> AFAIK, the only reason why the file extensions are restricted is to
>> prevent people from uploading MP3s, movies or other material that doesn't
>> belong on PyPI - not because there are security concerns.
>>
> Personally (might by different for Nick) it's less a problem with
uploading .py
> files and more a problem with allowing arbitrary names.
The sensible security mindset is to only open yourself up to attack vectors
when you have no other choice. Since phishing attacks on the bootstrap
scripts can be prevented categorically with a whitelist (even a hardcoded
one at this point), the onus should be on others to explain why we should
leave the bootstrap scripts open to such attacks.
The difference relative to releases is that those *have* to be open access
for PyPI to work. The same is not true for the bootstrap scripts - any
other package can automate its installation by bootstrapping pip, and then
installing itself. There's no need to declare open season on Python file
uploads, therefore we shouldn't do so.
Cheers,
Nick.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130215/7d27c932/attachment-0001.html>
More information about the Catalog-SIG
mailing list