[Catalog-sig] [PSF-Board] Troubled by changes to PyPI usage agreement
steve at holdenweb.com
Thu Jan 21 03:30:58 CET 2010
Tarek Ziadé wrote:
> 2010/1/20 "Martin v. Löwis" <martin at v.loewis.de>:
>>> Of course, there's also a human dimension : we suppose that the people
>>> running the mirror are people we can trust because they can
>>> technically do malicious things in the mirror since we don't really
>>> have any real protection (*yet*).
>> That's not true: users of mirrors can verify that the mirrors are
>> authentic. Neither can malicious operators modify the contents of
>> their mirrors without clients noticing, nor can careless mirror
>> operators threaten the integrity of a mirror even assuming somebody
>> breaks into the mirror.
> But users can't verify that the archive they download using tools like
> easy_install are the real ones.
> If I am a bad guy and I run a mirror, I can change a setup.py file in
> an archive and
> make it do malicious things on the computer, and let easy_install
> execute it for me.
> The only verification done is the md5 hash on the file, which can be
> changed on the mirror (nothing prevents the mirror to compute its own
> MD5 fragments in the download URLs)
I have in the past suggested that we consider hosting services at
diverse places. I'd have thought this was a prima facie case for
distributed hosting facilities. If we have that, we have no need for
mirrors, but instead for systems management. I know of at least three
reputable US hosting companies who I am pretty sure would help, and a
major academic hosting organization too. Also maybe Snakebite might be
This is an infrastructure committee task really. Brett? Martin?
Brett: maybe your closing report to the board could summarize the
overall hosting situation?
Steve Holden +1 571 484 6266 +1 800 494 3119
PyCon is coming! Atlanta, Feb 2010 http://us.pycon.org/
Holden Web LLC http://www.holdenweb.com/
UPCOMING EVENTS: http://holdenweb.eventbrite.com/
More information about the Catalog-SIG