On Wed, Mar 20, 2013 at 9:03 AM, Steve Dower <Steve.Dower@microsoft.com> wrote:
From: Nick Coghlan [mailto:ncoghlan@gmail.com] [snip]
I was pointed to an interesting resource: http://www.lfd.uci.edu/~gohlke/pythonlibs/
(The security issues with that arrangement are non-trivial, but the convenience factor is huge)
FWIW, one of the guys on our team has met with Christoph and considers him trustworthy.
Thanks, that's great to know, and ties into an idea that I just had. In addition to whether or not the build is trusted, there's also the risk of MITM attacks against the download site (less so when automated installers aren't involved, but still a risk). We just switched PyPI over to HTTPS for that very reason. The idle thought I had was that it may be useful if PyPI users could designate other users as "repackagers" for their project, and PyPI offered an interface that was *just* file uploads for an existing release. Then the pip developers, for example, could say "we trust Christoph to make our Windows installers", and grant him repackager access so he could upload the binaries for secure redistribution from PyPI rather than needing to host them himself. We'd probably want something like this for an effective build farm system anyway, this way it could work regardless of whether it was a human or an automated system converting the released sdists to platform specific binaries. Cheers, Nick. -- Nick Coghlan | ncoghlan@gmail.com | Brisbane, Australia