[Catalog-sig] Replication and security
Jesus Cea
jcea at jcea.es
Mon Jan 5 18:03:29 CET 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Currently setuptools allows to upload a PGP signature along the package,
to be able to check integrity and security. As far as I know, currently
"easy_install" doesn't check it. That is bad, but life sucks.
My problem now is with mirrors: How can anybody to validate files?.
Beside the possible PGP signatures of authors (a check that should be
integrated in "easy_install"), I would like PYPI main server (I guess it
would be the single point where people upload new packages; the mirrors
would be read-only) to digitally sign each uploaded package. This way,
easy_install can check any package downloaded from any mirror, because
PYPI public key would be a well known value.
I have code in python to digitally sign/verify signatures using ElGamal
algorithm. Any interest?
- --
Jesus Cea Avion _/_/ _/_/_/ _/_/_/
jcea at jcea.es - http://www.jcea.es/ _/_/ _/_/ _/_/ _/_/ _/_/
jabber / xmpp:jcea at jabber.org _/_/ _/_/ _/_/_/_/_/
. _/_/ _/_/ _/_/ _/_/ _/_/
"Things are not so easy" _/_/ _/_/ _/_/ _/_/ _/_/ _/_/
"My name is Dump, Core Dump" _/_/_/ _/_/_/ _/_/ _/_/
"El amor es poner tu felicidad en la felicidad de otro" - Leibniz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQCVAwUBSWI9YZlgi5GaxT1NAQLDFAQAjKWWmi9h3E4RvEupi03oAy839iCe7AO5
1nAHs+0aeQbQwskcUSD1RVZ4xP/AeJ+Gva1rvJfr7Ho41FD9WEFO/ErnHyGhEnL3
QK30lXbosnIWoqRiwXijrKtYp+9/pyixuDt7bL8hQ6ZBzgsOnknHaLJhDsNK+AMf
KowdHXxsnPo=
=eTrH
-----END PGP SIGNATURE-----
More information about the Catalog-SIG
mailing list