[Catalog-sig] Proposal: Move PyPI static data to the cloud for better availability
M.-A. Lemburg
mal at egenix.com
Tue Jun 15 23:26:58 CEST 2010
"Martin v. Löwis" wrote:
>> * How will clients be sure that they are getting the correct key ?
>
> They should initially download it from the master server (when that is
> online) and cache it.
So they'll use HTTPS and check the server certificate
as well ?
>> * What would a client do if the PyPI server is down ?
>
> Isn't that straight-forward?
If the local cache doesn't have the server key, the tools
would have to download it from somewhere and if the main server
is down, that's not possible, so you reintroduce a single
point of failure.
>> * How would clients protect their local cached copy of the
>> server key against manipulation ?
>
> Using standard operating system access control.
So clients will have to be careful to get this right.
>> * Without access to OpenSSL and M2Crypto, how would clients
>> apply the check ?
>
> distribute could include a pure-python checking function. The API
> was specifically designed to make this possible.
Do you have a pure-Python DSA and PEM/DER parsing function
available ? Wouldn't a set of hex dumps be easier to parse ?
>> Also, please consider that access to crypto code is restricted
>> in some parts of the world. Users in those countries would have
>> to be able to turn off verification.
>
> Most certainly. The simplest approach would be to turn off mirror usage
> in the first place. If you do use mirrors, it is then a matter of your
> own risk evaluation whether you want the mirror result verified.
>
> Notice that none of this protects against the master server being
> tempered; the only way to protect against that is to use the PGP signing
> feature in PyPI (which, of course, package authors must use).
Right, it's just an end-to-end authentication.
--
Marc-Andre Lemburg
eGenix.com
Professional Python Services directly from the Source (#1, Jun 15 2010)
>>> Python/Zope Consulting and Support ... http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
________________________________________________________________________
2010-07-19: EuroPython 2010, Birmingham, UK 33 days to go
::: Try our new mxODBC.Connect Python Database Interface for free ! ::::
eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
Registered at Amtsgericht Duesseldorf: HRB 46611
http://www.egenix.com/company/contact/
More information about the Catalog-SIG
mailing list