A simple way to protect against just the issue you mentioned is to have the clients retrieve the key over HTTPS or distribute the key with the client.
Ok. I have now enabled https for PyPI (https://pypi.python.org/pypi)
Okay. We'd be happy to work with you to get an easy solution put in place.
Thanks for the offer. Notice that this project is primarily about mirroring; other issues (should they exist) preferably should be dealt with separately.
TUF is fairly early stage (our first major deployment is on going), but might be worth consideration. I think we could probably put together a quick demo so that you and others could see how it might work with one of the existing client updaters.
I don't think adding another dependency to the clients is really acceptable. Instead, it must all be self-contained.
Regards, Martin _______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
