On Tue, Feb 5, 2013 at 4:14 PM, holger krekel <hol...@merlinux.eu> wrote: >> Sure, and that's another problem, and the low-hanging fruit there is >> using https. > > Transporting almost all externally reachable packages to be locally pypi > served is also kind of a low hanging fruit, although probably slightly > higher hanging than SSL :) The point is that we can have some control over > those packages once we have them - so we can delete them if they are reported > to be malicious independently of maintainer reachability.
Yeah. It makes sense, actually. > No, because a signature can only be created by the original author for > a particular file (his upload), not from the download site or a > MITM-attacker for a different file. Ah, yes. What you mean that of a signature is available *and* the author has uploaded his PGP/GPG key to PyPI. //Lennart _______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
