[Distutils] PEP453 - Explicit bootstrapping of pip in Pythoninstallations
Donald Stufft
donald at stufft.io
Tue Sep 3 14:48:31 CEST 2013
On Sep 3, 2013, at 8:47 AM, Nick Coghlan <ncoghlan at gmail.com> wrote:
> On 3 September 2013 22:33, Anders J. Munch <ajm at flonidan.dk> wrote:
>> Donald Stufft
>>> It also proposes that
>>> the distributions of Python available via Python.org will automatically run
>>> this explicit bootstrapping method and a recommendation to third party
>>> redistributors of Python to also provide pip by default (in a way
>>> reasonable for their distributions).
>>
>> Before getpip executes code it just downloaded from the 'net, how is
>> it validated? Would getpip contain the public keys of select
>> maintainers to verify the download?
>
> It would be trusting the integrity of PyPI for the software itself,
> and the CA system to know that it's actually talking to PyPI. Far from
> ideal, but we don't have a viable end-to-end signing system yet
> (mostly due to the associated key management and update/revocation
> problems).
>
> Given that the trust model for the installer itself is usually "I
> downloaded it from python.org", the risk isn't actually increased all
> that much.
>
> Cheers,
> Nick.
>
> --
> Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia
On top of that it would gain improvements as pip itself gains improvements in this area.
-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130903/12c2d7b0/attachment.sig>
More information about the Distutils-SIG
mailing list