[Catalog-sig] Use user-specific site-packages by default?
Lennart Regebro
regebro at gmail.com
Tue Feb 5 16:25:38 CET 2013
On Tue, Feb 5, 2013 at 4:14 PM, holger krekel <holger at merlinux.eu> wrote:
>> Sure, and that's another problem, and the low-hanging fruit there is
>> using https.
>
> Transporting almost all externally reachable packages to be locally pypi
> served is also kind of a low hanging fruit, although probably slightly
> higher hanging than SSL :) The point is that we can have some control over
> those packages once we have them - so we can delete them if they are reported
> to be malicious independently of maintainer reachability.
Yeah. It makes sense, actually.
> No, because a signature can only be created by the original author for
> a particular file (his upload), not from the download site or a
> MITM-attacker for a different file.
Ah, yes. What you mean that of a signature is available *and* the
author has uploaded his PGP/GPG key to PyPI.
//Lennart
More information about the Catalog-SIG
mailing list