* How will clients be sure that they are getting the correct key ?
They should initially download it from the master server (when that is
online) and cache it.
* What would a client do if the PyPI server is down ?
Isn't that straight-forward?
* How would clients protect their local cached copy of the
server key against manipulation ?
Using standard operating system access control.
* Without access to OpenSSL and M2Crypto, how would clients
apply the check ?
distribute could include a pure-python checking function. The API
was specifically designed to make this possible.
Also, please consider that access to crypto code is restricted
in some parts of the world. Users in those countries would have
to be able to turn off verification.
Most certainly. The simplest approach would be to turn off mirror usage
in the first place. If you do use mirrors, it is then a matter of your
own risk evaluation whether you want the mirror result verified.
Notice that none of this protects against the master server being
tempered; the only way to protect against that is to use the PGP signing
feature in PyPI (which, of course, package authors must use).
Regards,
Martin
_______________________________________________
Catalog-SIG mailing list
Catalog-SIG@python.org
http://mail.python.org/mailman/listinfo/catalog-sig
