[Catalog-sig] Proposal: Move PyPI static data to the cloud for better availability
jcea at jcea.es
Wed Jun 16 00:20:15 CEST 2010
-----BEGIN PGP SIGNED MESSAGE-----
On 15/06/10 22:33, M.-A. Lemburg wrote:
> * How will clients be sure that they are getting the correct key ?
Err... Download from a HTTPS server, with certificate verification in
the client, would be nice :).
> * What would a client do if the PyPI server is down ?
I would keep using the old key if I can't refresh it. If the key is
changed once per year, that would be painless most of the time.
> * How would clients protect their local cached copy of the
> server key against manipulation ?
Well, if you can alter the local cached key, you can alter too the
client code to skip the verification completely.
> * Without access to OpenSSL and M2Crypto, how would clients
> apply the check ?
Time ago I proposed to use ?Elgamal? signatures. The check can be done
in pure Python in maybe 5 lines of code. I use this in my own projects.
> Also, please consider that access to crypto code is restricted
> in some parts of the world. Users in those countries would have
> to be able to turn off verification.
Not for verification, I think. If the verification is 100% python, with
no crypto library required, less legal risk.
Personally I would ban mirrors deployed in no-crypto countries, if I can
not "certify" the files they are serving.
Jesus Cea Avion _/_/ _/_/_/ _/_/_/
jcea at jcea.es - http://www.jcea.es/ _/_/ _/_/ _/_/ _/_/ _/_/
jabber / xmpp:jcea at jabber.org _/_/ _/_/ _/_/_/_/_/
. _/_/ _/_/ _/_/ _/_/ _/_/
"Things are not so easy" _/_/ _/_/ _/_/ _/_/ _/_/ _/_/
"My name is Dump, Core Dump" _/_/_/ _/_/_/ _/_/ _/_/
"El amor es poner tu felicidad en la felicidad de otro" - Leibniz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the Catalog-SIG