On Tuesday, February 5, 2013 at 10:14 AM, holger krekel wrote: > Transporting almost all externally reachable packages to be locally pypi > served is also kind of a low hanging fruit, although probably slightly > higher hanging than SSL :) The point is that we can have some control over > those packages once we have them - so we can delete them if they are reported > to be malicious independently of maintainer reachability. > >
We have no way to validate the package we are downloading is the accurate one, we should not infer trust/validation that doesn't exist. > > No, because a signature can only be created by the original author for > a particular file (his upload), not from the download site or a > MITM-attacker for a different file. > > This assumes we know what the correct key is. If we don't then we have no way to validate that the signature was created by the author and not by someone else. Trust is hard. > > best, > holger > > > > //Lennart > > _______________________________________________ > > Catalog-SIG mailing list > > Catalog-SIG@python.org (mailto:Catalog-SIG@python.org) > > http://mail.python.org/mailman/listinfo/catalog-sig > > > > _______________________________________________ > Catalog-SIG mailing list > Catalog-SIG@python.org (mailto:Catalog-SIG@python.org) > http://mail.python.org/mailman/listinfo/catalog-sig > >
_______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
