[Catalog-sig] Proposal: Move PyPI static data to the cloud for better availability

"Martin v. Löwis" martin at v.loewis.de
Tue Jun 15 22:48:00 CEST 2010

> * How will clients be sure that they are getting the correct key ?

They should initially download it from the master server (when that is 
online) and cache it.

> * What would a client do if the PyPI server is down ?

Isn't that straight-forward?

> * How would clients protect their local cached copy of the
>    server key against manipulation ?

Using standard operating system access control.

> * Without access to OpenSSL and M2Crypto, how would clients
>    apply the check ?

distribute could include a pure-python checking function. The API
was specifically designed to make this possible.

> Also, please consider that access to crypto code is restricted
> in some parts of the world. Users in those countries would have
> to be able to turn off verification.

Most certainly. The simplest approach would be to turn off mirror usage 
in the first place. If you do use mirrors, it is then a matter of your
own risk evaluation whether you want the mirror result verified.

Notice that none of this protects against the master server being 
tempered; the only way to protect against that is to use the PGP signing 
feature in PyPI (which, of course, package authors must use).


More information about the Catalog-SIG mailing list