[Catalog-sig] Proposal: Move PyPI static data to the cloud for better availability

"Martin v. Löwis" martin at v.loewis.de
Wed Jun 16 00:55:41 CEST 2010

> Is the plan to use what is proposed in
> http://mail.python.org/pipermail/catalog-sig/2009-March/002018.html in
> practice?

You mean, is it implemented and deployed? Sure - just try for yourself.

> Is more information available about this?

This is not a very specific question. The answer is certainly: yes, e.g.
the source code of PyPI.

> Does this protect against man-in-the-middle attacks?

Hmm. This is also not very specific. Sometimes yes, sometimes no.

It protects against men sitting in the middle of a package download, and
also against men sitting on a mirror (which are both in the middle 
between PyPI and the user).

It doesn't protect against men sitting in the middle of the serverkey 
download, or men sitting in the middle of a setuptools installation
process, or men sitting on PyPI itself (which would be in the middle 
between the package author and the user).


More information about the Catalog-SIG mailing list