Phillip J. Eby wrote: > In this case, that person could simply distribute everything from their > site, and the user can simply require all the downloads to come from > that site using easy_install's --allow-hosts option. For example, since > TurboGears distributes all its dependencies, I could trust only > turbogears.org. Or, I could choose to trust anything from > cheeseshop.python.org. > > In other words, host-based trust seems a lot easier to implement and > almost as useful.
IMO, common sense is just as useful: people know what software to install, so go right ahead and do it. Host-based trust really adds very little here: even if I like the software, somebody could have taken over the server and replaced it with a trojan. In that scenario, neither host-based trust nor common sense would help; I can't think of a scenario where host-based trust would help beyond common sense. Regards, Martin _______________________________________________ Catalog-sig mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
