[Catalog-sig] Proposal: Move PyPI static data to the cloud for better availability
"Martin v. Löwis"
martin at v.loewis.de
Tue Jun 15 22:48:00 CEST 2010
> * How will clients be sure that they are getting the correct key ?
They should initially download it from the master server (when that is
online) and cache it.
> * What would a client do if the PyPI server is down ?
Isn't that straight-forward?
> * How would clients protect their local cached copy of the
> server key against manipulation ?
Using standard operating system access control.
> * Without access to OpenSSL and M2Crypto, how would clients
> apply the check ?
distribute could include a pure-python checking function. The API
was specifically designed to make this possible.
> Also, please consider that access to crypto code is restricted
> in some parts of the world. Users in those countries would have
> to be able to turn off verification.
Most certainly. The simplest approach would be to turn off mirror usage
in the first place. If you do use mirrors, it is then a matter of your
own risk evaluation whether you want the mirror result verified.
Notice that none of this protects against the master server being
tempered; the only way to protect against that is to use the PGP signing
feature in PyPI (which, of course, package authors must use).
More information about the Catalog-SIG