On 2/8/19 3:09 PM, Wayne Werner wrote:
On Fri, Feb 8, 2019, 6:18 AM Thomas Kluyver <tho...@kluyver.me.uk
<mailto:tho...@kluyver.me.uk> wrote:
__
I forgot to mention that there is work/discussion about supporting
code signing, in PEPs 458 and 480. But it's a complicated topic, and
code signing is not the silver bullet that some commentators seem to
think it is.
Yeah, I can sign malicious code just as well as sign normal code.
Plus, there's the difficulty of what exactly defines malicious code?
Config management tools are legit, but if I installed them on your
machine without your consent and controlled then, surprise! Now they're
malicious!
So... Difficult topic, yeah. You and your organization just have to
determine how much risk you're comfortable with.
On the plus side most Python packages are open source so you can just
see what the code is doing, making security audits easier.
Just make sure you check the code you actually install.
PyPI doesn't enforce that "matching" wheels and sdists contain the same
code, or that they contain code from any linked GitHub repository, etc.
--
Distutils-SIG mailing list -- distutils-sig@python.org
To unsubscribe send an email to distutils-sig-le...@python.org
https://mail.python.org/mailman3/lists/distutils-sig.python.org/
Message archived at
https://mail.python.org/archives/list/distutils-sig@python.org/message/K5RJ6IZP7TK62H7CCVTCCTZEGVZYIIXH/
