[Catalog-sig] How to verify cheeseshop signatures?
Phillip J. Eby
pje at telecommunity.com
Sun Oct 23 20:04:15 CEST 2005
At 07:56 PM 10/23/2005 +0200, Martin v. Löwis wrote:
>Phillip J. Eby wrote:
>>In this case, that person could simply distribute everything from their
>>site, and the user can simply require all the downloads to come from that
>>site using easy_install's --allow-hosts option. For example, since
>>TurboGears distributes all its dependencies, I could trust only
>>turbogears.org. Or, I could choose to trust anything from
>>In other words, host-based trust seems a lot easier to implement and
>>almost as useful.
>IMO, common sense is just as useful: people know what software to
>install, so go right ahead and do it.
>Host-based trust really adds very little here: even if I like the
>software, somebody could have taken over the server and replaced
>it with a trojan. In that scenario, neither host-based trust nor
>common sense would help; I can't think of a scenario where host-based
>trust would help beyond common sense.
It doesn't - except for the fact that easy_install automatically locates
and downloads dependencies using information on PyPI. So --allow-hosts can
be used to reign in its enthusiasm a bit. :) It's also useful to set up a
machine to only download software from a designated location by default, or
to prevent automatic downloading altogether (by allowing only localhost).
More information about the Catalog-sig