[Catalog-sig] Use user-specific site-packages by default?

Donald Stufft donald.stufft at gmail.com
Tue Feb 5 15:28:04 CET 2013


On Tuesday, February 5, 2013 at 9:24 AM, Daniel Holth wrote:
> As long as you are trusting PyPI itself, a PyPI-hosted/signed/timestamped SHA2 hash of the file to be downloaded from an external host would be enough to detect tampering over time.
You could do this, still lowers the overall availability of the system which kinda sucks, and
to actually be sane and secure you'd still need to rework the current method of trolling for external
urls.
> 
> pip could come with a copy of PyPI's ssl certificate, verifying that it was identical to the expected cert rather than signed by one of 100s of trusted CAs.
That loses the ability to change PyPI's SSL cert, basically forever and still doesn't protect MITM against
someone logging into PyPI through a browser. 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130205/45c5fa4b/attachment.html>


More information about the Catalog-SIG mailing list