Disallow reupload of the same package
Closed this issue · 2 comments
Standard pypi also does not allow reuploads of the same package.
This can create security issue which is difficult to track.
More explanations:
Let's assume some attacker has two capabilities:
- ability to delete packages on the index
- ability to upload packages on the index
These can be achieved by impersonating an admin account (or obtain access to w/e upload script).
In this case, they could:
- wait until a version of
foo(say) is uploaded - locally prepare a malicious version of the same package
- delete the
fooon the index and upload their own package - wait for a while, then delete their malicious code from the index and re-upload the original one
Now, all people who installed foo during the time in the last step will have a malicious package on their system and there will barely be any way to track that.
This is why PyPI does not allow reuploads of the same package.
pypicloud has an option to disallow overwriting packages, and this is the default behavior. So that's one piece of it.
I agree that the completely disallowing uploading the same version of a package twice would be ideal, but in order to do that I'd have to implement tombstones in all the storage backends. Would it be enough for your purposes to simply have a config option that disables the ability to delete packages? That plus the above option should get the same behavior, with the downside that you can't delete uploaded packages.
Thanks for the quick reply.
Yes an option to disable deletion should be enough for us. We can use underlying distributed file system to cleanup unnecessary files.