[Catalog-sig] repository security concerns

[Martin v. Loewis]

David Ascher <DavidA@ActiveState.com> writes:

> > one of my biggest concerns with a python-repository is
> > dealing with security, as the repository is enabling
> > of a framework of automatic installation of software
> > and will also tend to serve as a primary source of
> > python packages for manual installations.
> 
> This appears to be a non-issue in the Perl world.  CPAN is a simple FTP
> repository, and yet it works.  Installing modules from CPAN is a
> one-liner in Perl.

It certainly is an issue. In PAUSE, you need to have a password to
identify yourself as an uploader. Use of secure HTTP for PAUSE is
strongly recommended.

Implementing a password scheme for the Python repository may also be
an option, but I'd prefer signed packages instead, or atleast in
addition.

Regards,
Martin