[Distutils] PEP453 - Explicit bootstrapping of pip in Pythoninstallations
Nick Coghlan
ncoghlan at gmail.com
Tue Sep 3 14:47:52 CEST 2013
On 3 September 2013 22:33, Anders J. Munch <ajm at flonidan.dk> wrote:
> Donald Stufft
>>It also proposes that
>> the distributions of Python available via Python.org will automatically run
>> this explicit bootstrapping method and a recommendation to third party
>> redistributors of Python to also provide pip by default (in a way
>> reasonable for their distributions).
>
> Before getpip executes code it just downloaded from the 'net, how is
> it validated? Would getpip contain the public keys of select
> maintainers to verify the download?
It would be trusting the integrity of PyPI for the software itself,
and the CA system to know that it's actually talking to PyPI. Far from
ideal, but we don't have a viable end-to-end signing system yet
(mostly due to the associated key management and update/revocation
problems).
Given that the trust model for the installer itself is usually "I
downloaded it from python.org", the risk isn't actually increased all
that much.
Cheers,
Nick.
--
Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia
More information about the Distutils-SIG
mailing list