On Wed, Mar 13, 2013 at 5:16 PM, Carl Meyer <c...@oddbird.net> wrote: > There is no "instead of." There are parallel proposals (see the TUF > thread) to improve the security of the ecosystem, and those proposals > are not mutually exclusive with this one. If you search the PEP text, > note that you don't find the words "secure" or "security" anywhere > within it, or any claims of security achieved by this proposal alone. > There is a brief mention of MITM attacks, which is relevant to the PEP > because avoiding external link-crawling does reduce that attack surface, > even if other proposals will also help with that (even more).
Right, the changes to provide end-to-end security require more extensive changes and need to be given appropriate consideration before we proceed to implementation and deployment. This PEP, especially with the additional changes you propose here is an excellent approach to *near term* improvement, as a parallel effort to the more complex proposals. The /simple/ index will also be around for a long time for backwards compatibility reasons, regardless of any other changes that happen in the overall distribution ecosystem. Cheers, Nick. -- Nick Coghlan | ncogh...@gmail.com | Brisbane, Australia _______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig