On Aug 6, 2013, at 3:29 AM, martin@v.loewis.de wrote:
Quoting Donald Stufft <donald@stufft.io>:
Unless I'm forgetting something there's no real way to get the server key without going through Fastly
You should have a copy of the server key upfront, on your disk.
You can still get it directly from pypi with HTTP request to pypi.into.python.org/serverkey.
and even if there was Fastly could just hijack an upload (and murder their entire business in the process).
Couldn't you also use pypi.int.python.org for uploading?
Regards, Martin
pypi.int.python.org is not a public name and has no promise on existing tomorrow. Even if it was it's HTTP only and thus now you have an attacker who can substitute his own key for the server key and his own serversig for packages downloaded over HTTP from a mirror. The same thing applies to uploading, so you remove the possibility of Fastly attacking you and open up the much wider chance that a MITM would attack you. ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA