[Catalog-sig] How to verify cheeseshop signatures?

"Martin v. Löwis" martin at v.loewis.de
Sun Oct 23 19:56:10 CEST 2005

Phillip J. Eby wrote:
> In this case, that person could simply distribute everything from their 
> site, and the user can simply require all the downloads to come from 
> that site using easy_install's --allow-hosts option.  For example, since 
> TurboGears distributes all its dependencies, I could trust only 
> turbogears.org.  Or, I could choose to trust anything from 
> cheeseshop.python.org.
> In other words, host-based trust seems a lot easier to implement and 
> almost as useful.

IMO, common sense is just as useful: people know what software to
install, so go right ahead and do it.

Host-based trust really adds very little here: even if I like the
software, somebody could have taken over the server and replaced
it with a trojan. In that scenario, neither host-based trust nor
common sense would help; I can't think of a scenario where host-based
trust would help beyond common sense.


More information about the Catalog-sig mailing list