[Catalog-sig] Proposal: Move PyPI static data to the cloud for better availability
mal at egenix.com
Tue Jun 15 22:33:15 CEST 2010
"Martin v. Löwis" wrote:
>> I read pep 381 long time ago and I don't remember how/when a mirror
>> would update, but I do remember it doesn't mandate digital signatures
>> (signed by pypi central node, verified by setuptools&friends). That is a
>> big gap, in my opinion.
> The PEP doesn't explain the digital signing that is going on in
> mirroring. See
> This is fully implemented (except that client would need to verify the
> signatures, and except key rollover hasn't happened yet).
That's good to know, but I think some parts of this will have to be
discussed some more:
/serverkey Public DSA key of the server, in the PEM format
as generated by "openssl dsa -pubout" (i.e. RFC 3280
SubjectPublicKeyInfo, with the algorithm 188.8.131.52.2.12).
This URL must *not* be mirrored, and clients must fetch
the official serverkey from PyPI directly. The serverkey
* How will clients be sure that they are getting the correct key ?
* What would a client do if the PyPI server is down ?
* How would clients protect their local cached copy of the
server key against manipulation ?
* Without access to OpenSSL and M2Crypto, how would clients
apply the check ?
Also, please consider that access to crypto code is restricted
in some parts of the world. Users in those countries would have
to be able to turn off verification.
Professional Python Services directly from the Source (#1, Jun 15 2010)
>>> Python/Zope Consulting and Support ... http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
2010-07-19: EuroPython 2010, Birmingham, UK 33 days to go
::: Try our new mxODBC.Connect Python Database Interface for free ! ::::
eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
Registered at Amtsgericht Duesseldorf: HRB 46611
More information about the Catalog-SIG