> On Nov 14, 2014, at 2:39 PM, Jeremy Stanley <fu...@yuggoth.org> wrote: > > On 2014-11-15 02:57:15 +0800 (+0800), Thomas Goirand wrote: > [...] >> Do you realize that with the TLS system, you have to trust every >> and all CA, while with PGP, you only need to trust a single >> fingerprint? > [...] > > Technically not true *if* the package retrieval tools implement > certificate pinning rather than trusting any old CA (after all, > they're not Web browsers, so they could in theory do that with > minimal impact). > > Too bad https://github.com/pypa/pip/issues/1168 hasn't gotten much > traction.
Yea, primary reason that hasn’t been done is up until recently we (PyPI) were relying on the TLS certificate provided by Fastly and they were unwilling to make a promise to also be using a particular CA for the next N years. We now have dedicated IP addresses with them so we can provide them with whatever certificate we want, now it’s just a matter of selecting CAs and the political process. --- Donald Stufft PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev