[Distutils] PEP453 - Explicit bootstrapping of pip in Pythoninstallations

Anders J. Munch ajm at flonidan.dk
Tue Sep 3 15:14:23 CEST 2013


Nick Coghlan:
> It would be trusting the integrity of PyPI for the software itself,
> and the CA system to know that it's actually talking to PyPI. Far from
> ideal, but we don't have a viable end-to-end signing system yet
> (mostly due to the associated key management and update/revocation
> problems).

So retrieving pip is over https and the cert is validated? That's a
satisfactory answer, certainly.

> Given that the trust model for the installer itself is usually "I
> downloaded it from python.org", the risk isn't actually increased all
> that much.

I'd worry about any increase in risk.  If the target becomes big
enough, malware may start targeting Python auto-install mechanisms,
even if it doesn't today.  The python.org installers are PGP signed,
by the way. Maybe you meant the installers retrievable through PyPI?

regards, Anders



More information about the Distutils-SIG mailing list