It depends on the threat model which is worse. If you're worried about the Chinese govt inserting malicious packages to track dissidents then using an universally accepted SSL cert is a bad idea. It's easy for a powerful and motivated attacker to get arbitrary certs signed.
If you think that the risk of having the certificate stolen, loss of administrative control, etc. is a bigger threat, then an universally accepted SSL cert seems the wiser outcome. Of course, if distutils and other tools don't check certs, etc. this is all academic... Thanks, Justin On Sat, Jun 4, 2011 at 1:30 PM, M.-A. Lemburg <[email protected]> wrote: > "Martin v. Löwis" wrote: >>> Which makes me wonder, why is it that PyPI doesn't use a universally >>> accepted SSL cert instead of the CAcert one? Note: I'm a CAcert assurer >>> myself but would prefer using a cert by one of the commercial CAs for >>> the sake of the users. >>> >>> Any opinions? >> >> Primarily because of lack of volunteer time. Buying a certificate is >> a big effort, issuing a cacert one is simple. >> >> And before anybody says "no, it's not difficult", or "no, it shouldn't >> be difficult", please consider volunteering for the next ten years to >> manage the PSF server certificates (as one of the key problems that >> makes it difficult is that responsibilities change so often with >> volunteers). > > Perhaps we could get Pat, the PSF secretary and administrator > to deal with the paperwork that's needed to get a certificate. > > Installing it is not really such a major task, once you have > the paperwork done. Should we take this to the PSF board for > discussion ? > > -- > Marc-Andre Lemburg > eGenix.com > > Professional Python Services directly from the Source (#1, Jun 04 2011) >>>> Python/Zope Consulting and Support ... http://www.egenix.com/ >>>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ >>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ > ________________________________________________________________________ > 2011-05-23: Released eGenix mx Base 3.2.0 http://python.egenix.com/ > 2011-05-25: Released mxODBC 3.1.1 http://python.egenix.com/ > 2011-06-20: EuroPython 2011, Florence, Italy 16 days to go > > ::: Try our new mxODBC.Connect Python Database Interface for free ! :::: > > > eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 > D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg > Registered at Amtsgericht Duesseldorf: HRB 46611 > http://www.egenix.com/company/contact/ > _______________________________________________ > Catalog-SIG mailing list > [email protected] > http://mail.python.org/mailman/listinfo/catalog-sig > _______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
