[Catalog-sig] Proposal: Move PyPI static data to the cloud for better availability
M.-A. Lemburg
mal at egenix.com
Tue Jun 15 22:33:15 CEST 2010
"Martin v. Löwis" wrote:
>> I read pep 381 long time ago and I don't remember how/when a mirror
>> would update, but I do remember it doesn't mandate digital signatures
>> (signed by pypi central node, verified by setuptools&friends). That is a
>> big gap, in my opinion.
>
> The PEP doesn't explain the digital signing that is going on in
> mirroring. See
>
> http://mail.python.org/pipermail/catalog-sig/2009-March/002018.html
>
> This is fully implemented (except that client would need to verify the
> signatures, and except key rollover hasn't happened yet).
That's good to know, but I think some parts of this will have to be
discussed some more:
"""
/serverkey Public DSA key of the server, in the PEM format
as generated by "openssl dsa -pubout" (i.e. RFC 3280
SubjectPublicKeyInfo, with the algorithm 1.3.14.3.2.12).
This URL must *not* be mirrored, and clients must fetch
the official serverkey from PyPI directly. The serverkey
"""
* How will clients be sure that they are getting the correct key ?
* What would a client do if the PyPI server is down ?
* How would clients protect their local cached copy of the
server key against manipulation ?
* Without access to OpenSSL and M2Crypto, how would clients
apply the check ?
Also, please consider that access to crypto code is restricted
in some parts of the world. Users in those countries would have
to be able to turn off verification.
--
Marc-Andre Lemburg
eGenix.com
Professional Python Services directly from the Source (#1, Jun 15 2010)
>>> Python/Zope Consulting and Support ... http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
________________________________________________________________________
2010-07-19: EuroPython 2010, Birmingham, UK 33 days to go
::: Try our new mxODBC.Connect Python Database Interface for free ! ::::
eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
Registered at Amtsgericht Duesseldorf: HRB 46611
http://www.egenix.com/company/contact/
More information about the Catalog-SIG
mailing list