That's true; transmission of the serverkey is not currently protected
against MITM. How would you suggest to fix that?
As for perusing the source: the client behavior is not implemented yet,
so there isn't really any source to check, yet.
Following up to myself: The mirroring protocol doesn't really *need*
to protect against MITM. Communication with PyPI (e.g. package download)
currently isn't protected against MITM, either, so the mirroring adds no
new threat here. The protocol primarily protects against malicious
mirror operators, and hacked mirrors.
With that, a simple solution might be to offer opt-out of serverkey
updates. Users that worry about MITM should manually install the
serverkey in their pypirc, then distribute could refuse to automatically
update it. In the case of key rollover, users would need to download the
server key again in a trusted manner.
Regards,
Martin
_______________________________________________
Catalog-SIG mailing list
Catalog-SIG@python.org
http://mail.python.org/mailman/listinfo/catalog-sig
