Tarek Ziadé wrote: > 2010/1/20 "Martin v. Löwis" <[email protected]>: >>> Of course, there's also a human dimension : we suppose that the people >>> running the mirror are people we can trust because they can >>> technically do malicious things in the mirror since we don't really >>> have any real protection (*yet*). >> That's not true: users of mirrors can verify that the mirrors are >> authentic. Neither can malicious operators modify the contents of >> their mirrors without clients noticing, nor can careless mirror >> operators threaten the integrity of a mirror even assuming somebody >> breaks into the mirror. > > But users can't verify that the archive they download using tools like > easy_install are the real ones. > > If I am a bad guy and I run a mirror, I can change a setup.py file in > an archive and > make it do malicious things on the computer, and let easy_install > execute it for me. > The only verification done is the md5 hash on the file, which can be > changed on the mirror (nothing prevents the mirror to compute its own > MD5 fragments in the download URLs) > > Regards > Tarek > I have in the past suggested that we consider hosting services at diverse places. I'd have thought this was a prima facie case for distributed hosting facilities. If we have that, we have no need for mirrors, but instead for systems management. I know of at least three reputable US hosting companies who I am pretty sure would help, and a major academic hosting organization too. Also maybe Snakebite might be another location?
This is an infrastructure committee task really. Brett? Martin? Brett: maybe your closing report to the board could summarize the overall hosting situation? regards Steve -- Steve Holden +1 571 484 6266 +1 800 494 3119 PyCon is coming! Atlanta, Feb 2010 http://us.pycon.org/ Holden Web LLC http://www.holdenweb.com/ UPCOMING EVENTS: http://holdenweb.eventbrite.com/ _______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
