[Catalog-sig] How to verify cheeseshop signatures?

Phillip J. Eby pje at telecommunity.com
Sun Oct 23 20:04:15 CEST 2005

At 07:56 PM 10/23/2005 +0200, Martin v. Löwis wrote:
>Phillip J. Eby wrote:
>>In this case, that person could simply distribute everything from their 
>>site, and the user can simply require all the downloads to come from that 
>>site using easy_install's --allow-hosts option.  For example, since 
>>TurboGears distributes all its dependencies, I could trust only 
>>turbogears.org.  Or, I could choose to trust anything from 
>>In other words, host-based trust seems a lot easier to implement and 
>>almost as useful.
>IMO, common sense is just as useful: people know what software to
>install, so go right ahead and do it.
>Host-based trust really adds very little here: even if I like the
>software, somebody could have taken over the server and replaced
>it with a trojan. In that scenario, neither host-based trust nor
>common sense would help; I can't think of a scenario where host-based
>trust would help beyond common sense.

It doesn't - except for the fact that easy_install automatically locates 
and downloads dependencies using information on PyPI.  So --allow-hosts can 
be used to reign in its enthusiasm a bit.  :)  It's also useful to set up a 
machine to only download software from a designated location by default, or 
to prevent automatic downloading altogether (by allowing only localhost).

More information about the Catalog-sig mailing list