On Fri, Feb 8, 2019, 6:18 AM Thomas Kluyver <tho...@kluyver.me.uk wrote:
> I forgot to mention that there is work/discussion about supporting code > signing, in PEPs 458 and 480. But it's a complicated topic, and code > signing is not the silver bullet that some commentators seem to think it is. > Yeah, I can sign malicious code just as well as sign normal code. Plus, there's the difficulty of what exactly defines malicious code? Config management tools are legit, but if I installed them on your machine without your consent and controlled then, surprise! Now they're malicious! So... Difficult topic, yeah. You and your organization just have to determine how much risk you're comfortable with. On the plus side most Python packages are open source so you can just see what the code is doing, making security audits easier. -W
-- Distutils-SIG mailing list -- distutils-sig@python.org To unsubscribe send an email to distutils-sig-le...@python.org https://mail.python.org/mailman3/lists/distutils-sig.python.org/ Message archived at https://mail.python.org/archives/list/distutils-sig@python.org/message/7NRCZ2JKYUZ642M2CIMPG275EVBYKZ5G/
