[Catalog-sig] Proposal: Move PyPI static data to the cloud for better availability

M.-A. Lemburg mal at egenix.com
Tue Jun 15 22:33:15 CEST 2010

"Martin v. Löwis" wrote:
>> I read pep 381 long time ago and I don't remember how/when a mirror
>> would update, but I do remember it doesn't mandate digital signatures
>> (signed by pypi central node, verified by setuptools&friends). That is a
>> big gap, in my opinion.
> The PEP doesn't explain the digital signing that is going on in
> mirroring. See
> http://mail.python.org/pipermail/catalog-sig/2009-March/002018.html
> This is fully implemented (except that client would need to verify the
> signatures, and except key rollover hasn't happened yet).

That's good to know, but I think some parts of this will have to be
discussed some more:

/serverkey   Public DSA key of the server, in the PEM format
              as generated by "openssl dsa -pubout" (i.e. RFC 3280
              SubjectPublicKeyInfo, with the algorithm
              This URL must *not* be mirrored, and clients must fetch
              the official serverkey from PyPI directly. The serverkey

* How will clients be sure that they are getting the correct key ?

* What would a client do if the PyPI server is down ?

* How would clients protect their local cached copy of the
  server key against manipulation ?

* Without access to OpenSSL and M2Crypto, how would clients
  apply the check ?

Also, please consider that access to crypto code is restricted
in some parts of the world. Users in those countries would have
to be able to turn off verification.

Marc-Andre Lemburg

Professional Python Services directly from the Source  (#1, Jun 15 2010)
>>> Python/Zope Consulting and Support ...        http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ...             http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
2010-07-19: EuroPython 2010, Birmingham, UK                33 days to go

::: Try our new mxODBC.Connect Python Database Interface for free ! ::::

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611

More information about the Catalog-SIG mailing list