[Distutils] RFC: PEP243: Module Repository Upload Mechanism
Sean Reifschneider
jafo@tummy.com
Sun Mar 25 18:44:01 2001
On Sun, Mar 25, 2001 at 02:45:02PM -0500, Amos Latteier wrote:
>One question I have is how does the catalog verify who is
>uploading the package. It seems that the only facility is
>via a pgp signature. However, this signature seems to verify
>the author, not the uploaded. Plus it's optional.
Well, the authorization is more of a policy decision, IMHO... For example,
one could send e-mail to the maintainer listed in the meta-information
requesting that they approve the upload. Or, one could require manual
verification if the signature doesn't match an "approved" signer for
automatic processing...
If you believe that having an e-mail address is enough to discourage
tampering and allow automatic posting of the uploaded binaries to the
repository, I think you're due for a big suprise... ;-/
>I like this system because it is light weight, and doesn't
>require much overhead for the author or uploader. It
>provides the downloader with some measure of information
Interesting... I dislike it because it provides the downloader with a
false sense of security... Just because you have a hotmail account that
somone has once logged in to, I don't think that's enough that somone
should believe it's not malicious code...
Currently, I'm planning on using a manual process for verification, to
figure out what really works.
It constantly suprises me that people will use packages uploaded to the
redhat contrib site (for example), but they do and there are suprisingly
few problems with it.
Maybe I'll have the uploaded packages come in as "unverified" and once
there's been some sort of verification that the author or maintainer knows
of it, or something along those lines, it will moved to "verified"?
I agree that some sort of verification would be nice. I'm open to
suggestions though.
Sean
--
Having been an entrprenuer, I value being a wage-slave in new ways. I also
more fully understand why I hate it. -- Evelyn Mitchell, 1999
Sean Reifschneider, Inimitably Superfluous <jafo@tummy.com>
tummy.com - Linux Consulting since 1995. Qmail, KRUD, Firewalls, Python