[Catalog-sig] Use user-specific site-packages by default?
Lennart Regebro
regebro at gmail.com
Tue Feb 5 16:10:52 CET 2013
On Tue, Feb 5, 2013 at 3:24 PM, Daniel Holth <dholth at gmail.com> wrote:
> As long as you are trusting PyPI itself, a PyPI-hosted/signed/timestamped
> SHA2 hash of the file to be downloaded from an external host would be enough
> to detect tampering over time.
Hm. The discussion about signatures of files on the PSF list was so
focused on how to make it simpler for the maintainers to sign the
files that I forgot that we can have PyPI do it.
That's quite a massive amount of work though, with thousands of sites
to be crawled just to find the files.
I really, seriously, think we need to get rid of the crawling though.
Its' daft beyond absurdity.
//Lennart
More information about the Catalog-SIG
mailing list