2010/1/20 "Martin v. Löwis" <mar...@v.loewis.de>: >> Of course, there's also a human dimension : we suppose that the people >> running the mirror are people we can trust because they can >> technically do malicious things in the mirror since we don't really >> have any real protection (*yet*). > > That's not true: users of mirrors can verify that the mirrors are > authentic. Neither can malicious operators modify the contents of > their mirrors without clients noticing, nor can careless mirror > operators threaten the integrity of a mirror even assuming somebody > breaks into the mirror.
But users can't verify that the archive they download using tools like easy_install are the real ones. If I am a bad guy and I run a mirror, I can change a setup.py file in an archive and make it do malicious things on the computer, and let easy_install execute it for me. The only verification done is the md5 hash on the file, which can be changed on the mirror (nothing prevents the mirror to compute its own MD5 fragments in the download URLs) Regards Tarek -- Tarek Ziadé | http://ziade.org _______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
