[Catalog-sig] repository security concerns
Martin v. Loewis
martin@v.loewis.de
11 Mar 2002 05:57:36 +0100
David Ascher <DavidA@ActiveState.com> writes:
> > one of my biggest concerns with a python-repository is
> > dealing with security, as the repository is enabling
> > of a framework of automatic installation of software
> > and will also tend to serve as a primary source of
> > python packages for manual installations.
>
> This appears to be a non-issue in the Perl world. CPAN is a simple FTP
> repository, and yet it works. Installing modules from CPAN is a
> one-liner in Perl.
It certainly is an issue. In PAUSE, you need to have a password to
identify yourself as an uploader. Use of secure HTTP for PAUSE is
strongly recommended.
Implementing a password scheme for the Python repository may also be
an option, but I'd prefer signed packages instead, or atleast in
addition.
Regards,
Martin