[Catalog-sig] Use user-specific site-packages by default?

Lennart Regebro regebro at gmail.com
Tue Feb 5 16:10:52 CET 2013


On Tue, Feb 5, 2013 at 3:24 PM, Daniel Holth <dholth at gmail.com> wrote:
> As long as you are trusting PyPI itself, a PyPI-hosted/signed/timestamped
> SHA2 hash of the file to be downloaded from an external host would be enough
> to detect tampering over time.

Hm. The discussion about signatures of files on the PSF list was so
focused on how to make it simpler for the maintainers to sign the
files that I forgot that we can have PyPI do it.
That's quite a massive amount of work though, with thousands of sites
to be crawled just to find the files.

I really, seriously, think we need to get rid of the crawling though.
Its' daft beyond absurdity.

//Lennart


More information about the Catalog-SIG mailing list