On Mon, Jul 26, 2010 at 4:52 AM, Tarek Ziadé <ziade.ta...@gmail.com> wrote: > On Mon, Jul 26, 2010 at 1:20 PM, geremy condra <debat...@gmail.com> wrote: >> On Mon, Jul 26, 2010 at 4:02 AM, Tarek Ziadé <ziade.ta...@gmail.com> wrote: >>> On Sat, Jul 24, 2010 at 4:08 PM, Guido van Rossum <gu...@python.org> wrote: >> >> <snip> >> >>>> Mirroring apparently also >>>> requires some client changes. >>> >>> Mirrors can be used as long as you manually point a mirror when using >>> them. We we are working on making the >>> switch automatic. >> >> I think we've talked briefly about this before, but let me reiterate >> that getting this right from a security point of view is quite a bit >> harder than it at first appears, and IMHO it is worth getting right. > > FWIW, Martin has added a section about mirror authenticity in the PEP: > > http://www.python.org/dev/peps/pep-0381/#mirror-authenticity
This is more-or-less what was discussed earlier, and from what's described here I think the concerns I voiced stand. What's the right way to do disclosure on this sort of issue? Geremy Condra _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
