On Aug 6, 2013, at 3:03 AM, martin@v.loewis.de wrote:
Quoting holger krekel <holger@merlinux.eu>:
The problem is not so much trusting individuals but that the companies in question are based in the US. If its government wants to temporarily serve backdoored packages to select regions, they could silently force Fastly to do it. I guess the only way around this is to work with pypi- and eventually author/maintainer-signatures and verification.
Both are actually in place, just not widely used. Each simple page gets a pypi signature, in /serversig, which would allow to validate that a mirror or the CDN has the copy that is also on the master.
Unless I'm forgetting something there's no real way to get the server key without going through Fastly, and even if there was Fastly could just hijack an upload (and murder their entire business in the process).
Regards, Martin
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org http://mail.python.org/mailman/listinfo/distutils-sig
----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA