"Martin v. Löwis" wrote: >> I read pep 381 long time ago and I don't remember how/when a mirror >> would update, but I do remember it doesn't mandate digital signatures >> (signed by pypi central node, verified by setuptools&friends). That is a >> big gap, in my opinion. > > The PEP doesn't explain the digital signing that is going on in > mirroring. See > > http://mail.python.org/pipermail/catalog-sig/2009-March/002018.html > > This is fully implemented (except that client would need to verify the > signatures, and except key rollover hasn't happened yet).
That's good to know, but I think some parts of this will have to be discussed some more: """ /serverkey Public DSA key of the server, in the PEM format as generated by "openssl dsa -pubout" (i.e. RFC 3280 SubjectPublicKeyInfo, with the algorithm 1.3.14.3.2.12). This URL must *not* be mirrored, and clients must fetch the official serverkey from PyPI directly. The serverkey """ * How will clients be sure that they are getting the correct key ? * What would a client do if the PyPI server is down ? * How would clients protect their local cached copy of the server key against manipulation ? * Without access to OpenSSL and M2Crypto, how would clients apply the check ? Also, please consider that access to crypto code is restricted in some parts of the world. Users in those countries would have to be able to turn off verification. -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Jun 15 2010) >>> Python/Zope Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ 2010-07-19: EuroPython 2010, Birmingham, UK 33 days to go ::: Try our new mxODBC.Connect Python Database Interface for free ! :::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ _______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig