On Wed, Apr 27, 2011 at 8:39 PM, Martin v. Löwis mar...@v.loewis.de wrote:
I came up with a key rollover scheme for the server key on PyPI.
The objective of this key rollover is to protect against brute-force
attacks of people trying to crack the key. If the main server itself
gets compromised
Martin v. Löwis wrote:
Am 28.04.2011 10:26, schrieb M.-A. Lemburg:
Martin v. Löwis wrote:
I came up with a key rollover scheme for the server key on PyPI.
[...]
The key rollover will be logged in the PyPI journal,
using an empty package name and an empty release. TOOLS USING
THE JOURNAL
I came up with a key rollover scheme for the server key on PyPI.
The objective of this key rollover is to protect against brute-force
attacks of people trying to crack the key. If the main server itself
gets compromised (and the private key leaks), this scheme will not
help, and we will need to