[Catalog-sig] How to verify cheeseshop signatures?
"Martin v. Löwis"
martin at v.loewis.de
Sun Oct 23 19:56:10 CEST 2005
Phillip J. Eby wrote:
> In this case, that person could simply distribute everything from their
> site, and the user can simply require all the downloads to come from
> that site using easy_install's --allow-hosts option. For example, since
> TurboGears distributes all its dependencies, I could trust only
> turbogears.org. Or, I could choose to trust anything from
> In other words, host-based trust seems a lot easier to implement and
> almost as useful.
IMO, common sense is just as useful: people know what software to
install, so go right ahead and do it.
Host-based trust really adds very little here: even if I like the
software, somebody could have taken over the server and replaced
it with a trojan. In that scenario, neither host-based trust nor
common sense would help; I can't think of a scenario where host-based
trust would help beyond common sense.
More information about the Catalog-sig