[Distutils] What to do about the PyPI mirrors

Noah Kantrowitz noah at coderanger.net
Tue Aug 6 08:31:08 CEST 2013

On Aug 5, 2013, at 11:11 PM, Christian Theune <ct at gocept.com> wrote:

> Two more things:
> why is the CDN not suffering from the security problems you describe for the mirrors?
> a) Fastly seems to be the one owning the certificate for pypi.python.org. What?!?

They have a delegated SAN for it, which digicert (the CA) authorizes with the domain contact (the board in this case).

> b) What does stop Fastly from introducing incorrect/rogue code in package downloads?

Basically this one boils down to personal trust from me to the Fastly team combined with the other companies using them being very reputable. At the end of the day, there is not currently any cryptographic mechanism preventing Fastly from doing bad things.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 235 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130805/b6190a19/attachment.pgp>

More information about the Distutils-SIG mailing list