1. PyPA
  2. Python Packaging Authority Projects
  3. pypi
  4. Issues

Issues

Issue #98 resolved

Maintainer can assert themselves as an owner

blink1073
created an issue

I was added as a maintainer of the enaml and atom packages. When I registered and uploaded the files for those packages, I was automatically made an owner, without the owner's intervention. This smells like a security problem.

add Maintainer blink1073    2013-11-30 22:54    sccolbert   199.27.78.21
add Owner blink1073 2013-12-01 01:31    blink1073   199.27.78.21

Comments (15)

  1. Richard Jones

    This is intentional (as indicated by that being one of the very early commits to the project code :)

    Someone has to be the owner of the registration in PyPI - this defaults to the first person to register the project. The Owner in PyPI is able to grant roles to others in PyPI. That is all that that means.

    I think it's important to note that the Owner assignation is not even visible to anyone except those who have roles on the project in PyPI.

    I believe this issue may be closed.

  2. Chris Jerdonek

    Someone has to be the owner of the registration in PyPI - this defaults to the first person to register the project.

    Yes, I understood that.

    But if you look at the commit I cited in the previous comment, the code which does what you say went from being executed only when registering the project to being executed also when not registering the project.

    You can also see this in the fact that the following code snippet appears in identical form twice (in both lines 383 and 502 of the commit @ewdurbin mentioned, but not before the commit I cited):

    # first person to add an entry may be considered owner - though
    # make sure they don't already have the Role (this might just
    # be a new version, or someone might have already given them
    # the Role)
    if not self.has_role('Owner', name):
        self.add_role(self.username, 'Owner', name)
    

    It looks like the commit I cited meant to move that code snippet from one place to another, but it instead duplicated it to a second location, without removing it from its original location.

  3. Chris Jerdonek

    Also, just to be clear, this issue is about how maintainers added after a project has already been registered can make themselves owners (after there was already a first owner). So this isn't about the first person registering a project.

  4. Log in to comment