On Tue, Jun 15, 2010 at 3:55 PM, "Martin v. Löwis" <mar...@v.loewis.de> wrote: >> Is the plan to use what is proposed in >> http://mail.python.org/pipermail/catalog-sig/2009-March/002018.html in >> practice? > > You mean, is it implemented and deployed? Sure - just try for yourself. > >> Is more information available about this? > > This is not a very specific question. The answer is certainly: yes, e.g. > the source code of PyPI. > >> Does this protect against man-in-the-middle attacks? > > Hmm. This is also not very specific. Sometimes yes, sometimes no. > > It protects against men sitting in the middle of a package download, and > also against men sitting on a mirror (which are both in the middle between > PyPI and the user). > > It doesn't protect against men sitting in the middle of the serverkey > download, or men sitting in the middle of a setuptools installation > process, or men sitting on PyPI itself (which would be in the middle between > the package author and the user).
I'm not clear on this and the document is a little vague, so perhaps I should be perusing the source, but if you don't protect against a serverkey MITM and you are supposed to update the serverkey any time a signature doesn't match up, couldn't an attacker just MITM you, produce a known bad signature, and then wait for you to request a serverkey from them? Geremy Condra _______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
