[Catalog-sig] Proposal: Move PyPI static data to the cloud for better availability

"Martin v. Löwis" martin at v.loewis.de
Wed Jun 16 08:40:40 CEST 2010

> That's true; transmission of the serverkey is not currently protected
> against MITM. How would you suggest to fix that?
> As for perusing the source: the client behavior is not implemented yet,
> so there isn't really any source to check, yet.

Following up to myself: The mirroring protocol doesn't really *need*
to protect against MITM. Communication with PyPI (e.g. package download) 
currently isn't protected against MITM, either, so the mirroring adds no 
new threat here. The protocol primarily protects against malicious 
mirror operators, and hacked mirrors.

With that, a simple solution might be to offer opt-out of serverkey
updates. Users that worry about MITM should manually install the 
serverkey in their pypirc, then distribute could refuse to automatically 
update it. In the case of key rollover, users would need to download the 
server key again in a trusted manner.


More information about the Catalog-SIG mailing list