[Catalog-sig] Proposal: Move PyPI static data to the cloud for better availability

Justin Cappos justinc at cs.washington.edu
Sat Jun 19 20:24:00 CEST 2010

On Sat, Jun 19, 2010 at 8:58 AM, "Martin v. Löwis" <martin at v.loewis.de> wrote:
>> A simple way to protect against just the issue you mentioned is to
>> have the clients retrieve the key over HTTPS or distribute the key
>> with the client.
> Ok. I have now enabled https for PyPI (https://pypi.python.org/pypi)

Great.   Assuming cert checking is implemented properly for the
clients who retrieve your server's key, this will protect against many
simple attacks.

> I don't think adding another dependency to the clients is really acceptable.
> Instead, it must all be self-contained.

Okay, sounds good.   We'll look elsewhere!


More information about the Catalog-SIG mailing list