Joachim Jablon
Joachim Jablon
Haha, rereading my 2-year-old comment above about a blue check marks seems to resonate strangely in today's terms :sweat_smile: Who would have guessed...
Mastodon has a link [verification system](https://docs.joinmastodon.org/user/profile/#verification), that might be nice. That's never going to be foolproof though.
I wonder if it makes more sense to have verified details and then unverified details or to have each category with a verfified sub-section and a non-verified sub-section. It feels...
If we specifically plan for this to be used on ReadTheDocs, it makes sense to ensure that whatever format we decide on is easy to use with Sphinx & mkdocs....
Also, as far as I can tell, pypi.org's DNS point to fastly. If we were to easily know the IPs of the real servers beneath fastly, DDoS attacks could become...
> For SSRF, I think the main thing we'll need to do is prevent server-controlled redirects. In other words: if the URL itself doesn't serve the tag itself, we won't...
> This could make sense indeed. Hm, thinking again, if someone uses `https://10.0.0.1`, this means we ARE going to make the request and if it just so happens that this...
Oh, btw, should we make sure the port is not overridden (or force it ourselves to 443) ? I don't know if there are protocols out there where we could...
> The reason why we currently re-verify URLs for each file upload of the same release is because Trusted Publisher verification means that some file uploads might come from the...
Indeed, this is probably not a permission issue (this message is there because it used to be the case that most issues were permission issues, but it might not be...