[Distutils] self.introduce(distutils-sig)
Nick Coghlan
ncoghlan at gmail.com
Wed Mar 20 17:31:38 CET 2013
On Wed, Mar 20, 2013 at 9:03 AM, Steve Dower <Steve.Dower at microsoft.com> wrote:
>> From: Nick Coghlan [mailto:ncoghlan at gmail.com]
>> [snip]
>>
>> I was pointed to an interesting resource:
>> http://www.lfd.uci.edu/~gohlke/pythonlibs/
>>
>> (The security issues with that arrangement are non-trivial, but the
>> convenience factor is huge)
>
> FWIW, one of the guys on our team has met with Christoph and considers him trustworthy.
Thanks, that's great to know, and ties into an idea that I just had.
In addition to whether or not the build is trusted, there's also the
risk of MITM attacks against the download site (less so when automated
installers aren't involved, but still a risk). We just switched PyPI
over to HTTPS for that very reason.
The idle thought I had was that it may be useful if PyPI users could
designate other users as "repackagers" for their project, and PyPI
offered an interface that was *just* file uploads for an existing
release.
Then the pip developers, for example, could say "we trust Christoph to
make our Windows installers", and grant him repackager access so he
could upload the binaries for secure redistribution from PyPI rather
than needing to host them himself.
We'd probably want something like this for an effective build farm
system anyway, this way it could work regardless of whether it was a
human or an automated system converting the released sdists to
platform specific binaries.
Cheers,
Nick.
--
Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia
More information about the Distutils-SIG
mailing list