[Catalog-sig] Proposal: Move PyPI static data to the cloud for better availability

geremy condra debatem1 at gmail.com
Wed Jun 16 01:33:03 CEST 2010

On Tue, Jun 15, 2010 at 3:55 PM, "Martin v. Löwis" <martin at v.loewis.de> wrote:
>> Is the plan to use what is proposed in
>> http://mail.python.org/pipermail/catalog-sig/2009-March/002018.html in
>> practice?
> You mean, is it implemented and deployed? Sure - just try for yourself.
>> Is more information available about this?
> This is not a very specific question. The answer is certainly: yes, e.g.
> the source code of PyPI.
>> Does this protect against man-in-the-middle attacks?
> Hmm. This is also not very specific. Sometimes yes, sometimes no.
> It protects against men sitting in the middle of a package download, and
> also against men sitting on a mirror (which are both in the middle between
> PyPI and the user).
> It doesn't protect against men sitting in the middle of the serverkey
> download, or men sitting in the middle of a setuptools installation
> process, or men sitting on PyPI itself (which would be in the middle between
> the package author and the user).

I'm not clear on this and the document is a little vague, so perhaps
I should be perusing the source, but if you don't protect against a
serverkey MITM and you are supposed to update the serverkey any
time a signature doesn't match up, couldn't an attacker just MITM
you, produce a known bad signature, and then wait for you to
request a serverkey from them?

Geremy Condra

More information about the Catalog-SIG mailing list