[Catalog-sig] pre-PEP: transition to release-file hosting at pypi site

Wed Mar 13 18:21:45 CET 2013

How do you know who to trust?  What if an author you trust adds a
dependency to a package to an author you have no konwledege of, or one
you actively distrust?  What if an author you trust commits one of the
other changes I outlined (removes a release / distribution, makes
backward-incompatible changes, re-uploads a changed distribution over an
existing one?)

The only way to implement "only install from trusted authors" is to run
your own index, and explicitly review / curate the package set maintained
there.   In that scenario, you run a script from time to time which looks
for new versions of your packages on PyPI and puts them into a queue for
review.

Bob, a casual reviewer, might install the new verison from PyPI into a
fresh virtualenv and test it there before pushing it into the curated index.

Carol, more pranoid^Wsecurity mindex, downloads the package, verifies its
signature, unpacks the tarball, diffs it against the curated version,
compares that diff against the changelog, looks at new / changed
dependencies, and installs it into a hardened sandbox for testing.  Only
after that kind of review does she push the newly-reviewed distribution
into the curated index.

Adding an entirely new package to the curated index is a similar process,
but requires more effort from either Bob or Carol.

Tres.
- -- 
===================================================================
Tres Seaver          +1 540-429-0999          tseaver at palladion.com
Palladion Software   "Excellence by Design"    http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlFAtakACgkQ+gerLs4ltQ5O4wCcC92ew66wVGEPBM/Jr8z1bYU8
e9AAoNXmaiuBHQOIFQlT0SRemI43hoG7
=idDp
-----END PGP SIGNATURE-----