[Catalog-sig] Use user-specific site-packages by default?
Donald Stufft
donald.stufft at gmail.com
Tue Feb 5 16:18:25 CET 2013
On Tuesday, February 5, 2013 at 10:14 AM, holger krekel wrote:
> Transporting almost all externally reachable packages to be locally pypi
> served is also kind of a low hanging fruit, although probably slightly
> higher hanging than SSL :) The point is that we can have some control over
> those packages once we have them - so we can delete them if they are reported
> to be malicious independently of maintainer reachability.
>
>
We have no way to validate the package we are downloading is the accurate one,
we should not infer trust/validation that doesn't exist.
>
> No, because a signature can only be created by the original author for
> a particular file (his upload), not from the download site or a
> MITM-attacker for a different file.
>
>
This assumes we know what the correct key is. If we don't then we
have no way to validate that the signature was created by the author
and not by someone else. Trust is hard.
>
> best,
> holger
>
>
> > //Lennart
> > _______________________________________________
> > Catalog-SIG mailing list
> > Catalog-SIG at python.org (mailto:Catalog-SIG at python.org)
> > http://mail.python.org/mailman/listinfo/catalog-sig
> >
>
> _______________________________________________
> Catalog-SIG mailing list
> Catalog-SIG at python.org (mailto:Catalog-SIG at python.org)
> http://mail.python.org/mailman/listinfo/catalog-sig
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130205/bcbe702a/attachment.html>
More information about the Catalog-SIG
mailing list