[Catalog-sig] Proposal: Move PyPI static data to the cloud for better availability

M.-A. Lemburg mal at egenix.com
Tue Jun 15 23:26:58 CEST 2010 

"Martin v. Löwis" wrote:
>> * How will clients be sure that they are getting the correct key ?
> 
> They should initially download it from the master server (when that is
> online) and cache it.

So they'll use HTTPS and check the server certificate
as well ?

>> * What would a client do if the PyPI server is down ?
> 
> Isn't that straight-forward?

If the local cache doesn't have the server key, the tools
would have to download it from somewhere and if the main server
is down, that's not possible, so you reintroduce a single
point of failure.

>> * How would clients protect their local cached copy of the
>>    server key against manipulation ?
> 
> Using standard operating system access control.

So clients will have to be careful to get this right.

>> * Without access to OpenSSL and M2Crypto, how would clients
>>    apply the check ?
> 
> distribute could include a pure-python checking function. The API
> was specifically designed to make this possible.

Do you have a pure-Python DSA and PEM/DER parsing function
available ? Wouldn't a set of hex dumps be easier to parse ?

>> Also, please consider that access to crypto code is restricted
>> in some parts of the world. Users in those countries would have
>> to be able to turn off verification.
> 
> Most certainly. The simplest approach would be to turn off mirror usage
> in the first place. If you do use mirrors, it is then a matter of your
> own risk evaluation whether you want the mirror result verified.
> 
> Notice that none of this protects against the master server being
> tempered; the only way to protect against that is to use the PGP signing
> feature in PyPI (which, of course, package authors must use).

Right, it's just an end-to-end authentication.

-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source  (#1, Jun 15 2010)
>>> Python/Zope Consulting and Support ...        http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ...             http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
________________________________________________________________________
2010-07-19: EuroPython 2010, Birmingham, UK                33 days to go

::: Try our new mxODBC.Connect Python Database Interface for free ! ::::


   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611
               http://www.egenix.com/company/contact/

More information about the Catalog-SIG mailing list