[Catalog-sig] Use user-specific site-packages by default?
Daniel Holth
dholth at gmail.com
Tue Feb 5 15:34:39 CET 2013
On Tue, Feb 5, 2013 at 9:28 AM, Donald Stufft <donald.stufft at gmail.com>wrote:
> On Tuesday, February 5, 2013 at 9:24 AM, Daniel Holth wrote:
>
> As long as you are trusting PyPI itself, a PyPI-hosted/signed/timestamped
> SHA2 hash of the file to be downloaded from an external host would be
> enough to detect tampering over time.
>
> You could do this, still lowers the overall availability of the system
> which kinda sucks, and
> to actually be sane and secure you'd still need to rework the current
> method of trolling for external
> urls.
>
>
> pip could come with a copy of PyPI's ssl certificate, verifying that it
> was identical to the expected cert rather than signed by one of 100s of
> trusted CAs.
>
> That loses the ability to change PyPI's SSL cert, basically forever and
> still doesn't protect MITM against
> someone logging into PyPI through a browser.
>
Or it could just notify you whenever the SSL certificate changed.
http://tack.io/ lets a site sign its SSL certificate with a key that
doesn't change. Of course doing SSL at all is the priority.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130205/56b2bc84/attachment.html>
More information about the Catalog-SIG
mailing list