| ▲ | nzeid a day ago |
| I don't understand how a mere account signup is the bar for publishing packages. Why not queue the first few publishes on new accounts for manual review? |
|
| ▲ | zahlman a day ago | parent | next [-] |
| PyPI's human resources are extremely strained. (The technical side also only exists thanks to Fastly's generosity.) |
| |
|
| ▲ | akerl_ a day ago | parent | prev | next [-] |
| Who would do the manual review? |
| |
| ▲ | vips7L a day ago | parent [-] | | A staffer from the Python foundation? This is how maven central works. Someone physically verifies that you own the reverse domain of your package. | | |
| ▲ | woodruffw a day ago | parent | next [-] | | Murky security model for domain validation aside, how does that ensure the honesty of the uploaded package? (So much of supply chain security is people combining these two things, when we want both as separate properties: I both want to know a package's identity, and I want to know that I should trust it. Knowing that I downloaded a package from `literallysatan.com` without that I should trust `literallysatan.com` isn't good enough!) | |
| ▲ | akerl_ a day ago | parent | prev [-] | | That’s basically no validation at all. Python doesn’t even have that kind of namespacing to need to validate. The kind of validation being discussed here would take way more than “a staffer”. | | |
| ▲ | nzeid a day ago | parent [-] | | I mean... don't let perfect be the enemy of good? I'm insisting that even the barest minimum of human/manual involvement solely on account signup would be a major security improvement. It would be exhausting to have to audit your entire dependency tree like your life depended on it just to do the most mundane of things. | | |
| ▲ | akerl_ a day ago | parent [-] | | This isn’t about perfect vs good. The thing you’re suggesting is outright not possible given the staffing that the Python maintainers have. |
|
|
|
|
|
| ▲ | Sohcahtoa82 a day ago | parent | prev | next [-] |
| Because that would easily get DoS'd. Any time you introduce humans manually reviewing things, the attackers win instantly by just spamming it with garbage. |
|
| ▲ | stavros a day ago | parent | prev [-] |
| Probably because that would be too expensive for PyPI. |
