[Catalog-sig] pre-PEP: transition to release-file hosting at pypi site
Robert Collins
robertc at robertcollins.net
Wed Mar 13 18:41:33 CET 2013
On 14 March 2013 05:54, Tres Seaver <tseaver at palladion.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 03/12/2013 03:57 PM, holger krekel wrote:
>> Nobody should be lead to think that PYPI is a trusted or reviewed
>> source of software even if we got rid of external hosting completely.
>
> Amen. I still boggle at the amount of "sky is falling" stuff here over
> MITM / external links / whatever, given the potential damaage from
> explicitly malicious uploads (trojans, viruses, whatever). Package
> signing might help here, but only for consumers who willing to think hard
> enough about the problem to manage a web of trust (frankly, a vanishingly
> small minority).
Well yes HTTPS and external links are problems which it is necessary
to solve, and not sufficient to make 'pypi secure' - but that doesn't
mean we should do a poor job solving them.
-Rob
--
Robert Collins <rbtcollins at hp.com>
Distinguished Technologist
HP Cloud Services
More information about the Catalog-SIG
mailing list