On 11/04, Serhiy Storchaka wrote: >04.11.18 17:00, Julien Palard via Python-Dev пише: >>Considering feedback from Ned, what about building this as an independent service? We don't really need to interface with python.org at all, we just need some hardware, a domain, some code to interface with github API and... to start it's probably enough? It would be a usefull POC. > >This will just move risks to this service. > >Ned mentioned potential abuse. We will host unchecked content. >Malicious user can create a PR which replaces Python documentation >with malicious content. The content will be generated by the build/html directory from Travis. If Travis is green we upload the doc, if Travis is red, we do not publish it. If there is an abuse, we close/drop the PR, maybe Bedevere can receive this notification via the webhooks and notify the server to remove the doc. > >The Doc/ directory includes Python scripts and Makefile which are used >for building documentation. Malicious user can use this for executing >arbitrary code on our server. Currently, we use Travis. The malicious code will be execute in the container of Travis, not on the server. We only copy the static files and if we use nginx/apache, we don't execute the .py files. Just serve the .html,.css,.js files > >_______________________________________________ >Python-Dev mailing list >Python-Dev at python.org >https://mail.python.org/mailman/listinfo/python-dev >Unsubscribe: https://mail.python.org/mailman/options/python-dev/stephane%40wirtel.be -- Stéphane Wirtel - https://wirtel.be - @matrixise
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4