On Dec 30, 2014, at 9:29 PM, Richard Jones email@example.com wrote:
Thanks for the clarification, guys.
Donald, I'm not sure what you mean by "a compromise of the CDN for uploading”.
PyPI trusts the CDN to give it the correct bits, without a signature from the author that is being verified uploading just relies on TLS again. The other PEP should close that gap though I believe.
Note: I have yet to read these PEPs so I’m just going by a casual glance of them.
Donald Stufft PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA