[Catalog-sig] Proposal: Move PyPI static data to the cloud for better availability
debatem1 at gmail.com
Wed Jun 16 19:42:25 CEST 2010
On Wed, Jun 16, 2010 at 2:41 AM, Justin Cappos
<justinc at cs.washington.edu> wrote:
> On Tue, Jun 15, 2010 at 11:09 PM, "Martin v. Löwis" <martin at v.loewis.de> wrote:
>>> I'm not clear on this and the document is a little vague, so perhaps
>>> I should be perusing the source, but if you don't protect against a
>>> serverkey MITM and you are supposed to update the serverkey any
>>> time a signature doesn't match up, couldn't an attacker just MITM
>>> you, produce a known bad signature, and then wait for you to
>>> request a serverkey from them?
>> That's true; transmission of the serverkey is not currently protected
>> against MITM. How would you suggest to fix that?
> A simple way to protect against just the issue you mentioned is to
> have the clients retrieve the key over HTTPS or distribute the key
> with the client.
I'd just add that this is not currently as simple as it should be in
Python; by default Python does not check certs for HTTPS
connections, so you can't just feed the correct url into urllib and
be sure you're getting the right answer.
More information about the Catalog-SIG