On 14 March 2013 05:54, Tres Seaver <tsea...@palladion.com> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 03/12/2013 03:57 PM, holger krekel wrote: >> Nobody should be lead to think that PYPI is a trusted or reviewed >> source of software even if we got rid of external hosting completely. > > Amen. I still boggle at the amount of "sky is falling" stuff here over > MITM / external links / whatever, given the potential damaage from > explicitly malicious uploads (trojans, viruses, whatever). Package > signing might help here, but only for consumers who willing to think hard > enough about the problem to manage a web of trust (frankly, a vanishingly > small minority).
Well yes HTTPS and external links are problems which it is necessary to solve, and not sufficient to make 'pypi secure' - but that doesn't mean we should do a poor job solving them. -Rob -- Robert Collins <rbtcoll...@hp.com> Distinguished Technologist HP Cloud Services _______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
