[Catalog-sig] Proposal: Move PyPI static data to the cloud for better availability

["Martin v. Löwis"]

>>> * How will clients be sure that they are getting the correct key ?
>>
>> They should initially download it from the master server (when that is
>> online) and cache it.
>
> So they'll use HTTPS and check the server certificate
> as well ?

No. But they trust that the package contents is untampered when they 
download from the central copy, so they should also trust that the 
server key is untampered.

If some attack could arrange to modify the server key (either during 
transmission, or afterwards), the same threat applies to the actual 
packages. So this doesn't add any new risk.

>>> * What would a client do if the PyPI server is down ?
>>
>> Isn't that straight-forward?
>
> If the local cache doesn't have the server key, the tools
> would have to download it from somewhere and if the main server
> is down, that's not possible, so you reintroduce a single
> point of failure.

That wouldn't be a problem, since one copy of the server key could ship 
with setuptools/distribute itself. So people who have never used it 
before could still validate the mirrors.

>>> * How would clients protect their local cached copy of the
>>>     server key against manipulation ?
>>
>> Using standard operating system access control.
>
> So clients will have to be careful to get this right.

Not anymore than they do for the actual package data.

>>> * Without access to OpenSSL and M2Crypto, how would clients
>>>     apply the check ?
>>
>> distribute could include a pure-python checking function. The API
>> was specifically designed to make this possible.
>
> Do you have a pure-Python DSA and PEM/DER parsing function
> available ? Wouldn't a set of hex dumps be easier to parse ?

See tools/verify.py.

Regards,
Martin