[Distutils] What to do about the PyPI mirrors
martin at v.loewis.de
martin at v.loewis.de
Tue Aug 6 09:03:47 CEST 2013
Quoting holger krekel <holger at merlinux.eu>:
> The problem is not so much trusting individuals but that the companies
> in question are based in the US. If its government wants to temporarily
> serve backdoored packages to select regions, they could silently force Fastly
> to do it. I guess the only way around this is to work with pypi- and
> eventually author/maintainer-signatures and verification.
Both are actually in place, just not widely used. Each simple page gets
a pypi signature, in /serversig, which would allow to validate that a
mirror or the CDN has the copy that is also on the master.
For author signatures, PGP has been available for quite some time. As with
any author signature, you then need to convince yourself that the key
actually belongs to the author.
Regards,
Martin
More information about the Distutils-SIG
mailing list