On Aug 5, 2013, at 11:56 PM, holger krekel <hol...@merlinux.eu> wrote:
> On Mon, Aug 05, 2013 at 23:31 -0700, Noah Kantrowitz wrote: >> On Aug 5, 2013, at 11:11 PM, Christian Theune <c...@gocept.com> wrote: >> >>> Two more things: >>> >>> why is the CDN not suffering from the security problems you describe for >>> the mirrors? >>> >>> a) Fastly seems to be the one owning the certificate for pypi.python.org. >>> What?!? >> >> They have a delegated SAN for it, which digicert (the CA) authorizes with >> the domain contact (the board in this case). >> >>> b) What does stop Fastly from introducing incorrect/rogue code in package >>> downloads? >> >> Basically this one boils down to personal trust from me to the Fastly team >> combined with the other companies using them being very reputable. At the >> end of the day, there is not currently any cryptographic mechanism >> preventing Fastly from doing bad things. > > The problem is not so much trusting individuals but that the companies > in question are based in the US. If its government wants to temporarily > serve backdoored packages to select regions, they could silently force Fastly > to do it. I guess the only way around this is to work with pypi- and > eventually author/maintainer-signatures and verification. No, I have carefully selected whom I trust to work with on the PSF infrastructure. I can promise you there is a 100% chance that the head of Fastly would sooner shut down the company than allow a government interdiction of any kind. I extend this trust to Dyn and OSL as well, and I do not do so lightly. --Noah
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org http://mail.python.org/mailman/listinfo/distutils-sig
