1. PyPA
  2. Python Packaging Authority Projects
  3. pypi
  4. Issues


Issue #40 resolved

This is a scam, right?

created an issue

I got this email this evening:

Status: New Owner: ---- Labels: Type-Defect Priority-Medium

New issue 31 by alex.gay...@gmail.com: Host lockfile on PyPi http://code.google.com/p/pylockfile/issues/detail?id=31

Currently lockfile is hosted off of PyPi, this presents security and performance challenges. If you could upload the releases to PyPi and then follow the instructions at pypi-externals.caremad.io/help/what/ it'd be great!

Is there a problem hosting lockfile at Google Code?

Comments (3)

  1. Donald Stufft

    It's not a scam. Not uploading releases to PyPI has several issues for the people trying to install your software.

    Taking a look at lockfile's simple page https://pypi.python.org/simple/lockfile/ You can see you directly link to a number of files. However there is no hash associated with those files. So When people try to download them and install them they have no way to know if a man in the middle has attacked them and injected malicious code into the file they are trying to download. You can fix this by only using urls that have hashes on them in the form of #md5=<md5 hash>.

    Another problem is you have no disable external link scraping whicih means pip and setuptools will also look on http://code.google.com/p/pylockfile/ that page for more files to download. This extra http request slows things down, but it's also completely unverified so any files found on that page can contain malicious code.

    A third problem is one of "uptime". If you upload your files to PyPI they will be available as long as PyPI is up and they will be mirror-able by PyPI's mirrors. However if you host your files elsewhere they will only be available when PyPI is available and "elsewhere" is available. Making it more likely that people won't be able to install your package.

    Additionally in pip 1.4 (just released) users will be given a warning when installing files hosted in this way, and in pip 1.5 pip will not install files hosted int his way without the end user explicitly allowing it using the -allow-external for files hosted externally that contain a hash in the link and linked directly from the simple page, and --allow-insecure for files hosted externally without a hash or hosted on the extra homepage that pip and setuptools looks for. As it stands in pip 1.5 your users will need to run pip install --allow-external lockfile --allow-insecure lockfile lockfile.

    There are more details on the page that Alex linked you to (which happened to be written by me) and it also has details letting you decide what mode to use. It is of course your decision to make how you host your project, but it does provide a degraded experience for the people installing it.

  2. smontanaro reporter

    Thanks for the reply. The biggest reason I thought it was a scam was because of the rather bizarre URL. If you want people to consider clicking through to recommendations, you need a pypi.python.org URL. Better yet, the note should come from a python.org email address. Random people on the net shouldn't be opening bug reports about this.

    I'm out of town for a few days. I'll see about making a few changes when I get back.


  3. Log in to comment