On Tue, Feb 5, 2013 at 9:28 AM, Donald Stufft <donald.stu...@gmail.com>wrote:
> On Tuesday, February 5, 2013 at 9:24 AM, Daniel Holth wrote: > > As long as you are trusting PyPI itself, a PyPI-hosted/signed/timestamped > SHA2 hash of the file to be downloaded from an external host would be > enough to detect tampering over time. > > You could do this, still lowers the overall availability of the system > which kinda sucks, and > to actually be sane and secure you'd still need to rework the current > method of trolling for external > urls. > > > pip could come with a copy of PyPI's ssl certificate, verifying that it > was identical to the expected cert rather than signed by one of 100s of > trusted CAs. > > That loses the ability to change PyPI's SSL cert, basically forever and > still doesn't protect MITM against > someone logging into PyPI through a browser. > Or it could just notify you whenever the SSL certificate changed. http://tack.io/ lets a site sign its SSL certificate with a key that doesn't change. Of course doing SSL at all is the priority.
_______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
