[Distutils] What to do about the PyPI mirrors

Donald Stufft donald at stufft.io
Tue Aug 6 09:17:35 CEST 2013

On Aug 6, 2013, at 3:03 AM, martin at v.loewis.de wrote:

> Quoting holger krekel <holger at merlinux.eu>:
>> The problem is not so much trusting individuals but that the companies
>> in question are based in the US.  If its government wants to temporarily
>> serve backdoored packages to select regions, they could silently force Fastly
>> to do it.  I guess the only way around this is to work with pypi- and
>> eventually author/maintainer-signatures and verification.
> Both are actually in place, just not widely used. Each simple page gets
> a pypi signature, in /serversig, which would allow to validate that a
> mirror or the CDN has the copy that is also on the master.

Unless I'm forgetting something there's no real way to get the server key
without going through Fastly, and even if there was Fastly could just hijack
an upload (and murder their entire business in the process).

> Regards,
> Martin
> _______________________________________________
> Distutils-SIG maillist  -  Distutils-SIG at python.org
> http://mail.python.org/mailman/listinfo/distutils-sig

Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130806/3a7e28fd/attachment.pgp>

More information about the Distutils-SIG mailing list