Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I don't understand how a mere account signup is the bar for publishing packages. Why not queue the first few publishes on new accounts for manual review?


PyPI's human resources are extremely strained. (The technical side also only exists thanks to Fastly's generosity.)


Who would do the manual review?


A staffer from the Python foundation? This is how maven central works. Someone physically verifies that you own the reverse domain of your package.


Murky security model for domain validation aside, how does that ensure the honesty of the uploaded package?

(So much of supply chain security is people combining these two things, when we want both as separate properties: I both want to know a package's identity, and I want to know that I should trust it. Knowing that I downloaded a package from `literallysatan.com` without that I should trust `literallysatan.com` isn't good enough!)


That’s basically no validation at all. Python doesn’t even have that kind of namespacing to need to validate.

The kind of validation being discussed here would take way more than “a staffer”.


I mean... don't let perfect be the enemy of good?

I'm insisting that even the barest minimum of human/manual involvement solely on account signup would be a major security improvement.

It would be exhausting to have to audit your entire dependency tree like your life depended on it just to do the most mundane of things.


This isn’t about perfect vs good.

The thing you’re suggesting is outright not possible given the staffing that the Python maintainers have.


Because that would easily get DoS'd.

Any time you introduce humans manually reviewing things, the attackers win instantly by just spamming it with garbage.


Probably because that would be too expensive for PyPI.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: