[Distutils] Surviving a Compromise of PyPI - PEP 458 and 480

Donald Stufft donald at stufft.io
Wed Dec 31 03:32:40 CET 2014


> On Dec 30, 2014, at 9:29 PM, Richard Jones <richard at python.org> wrote:
> 
> Thanks for the clarification, guys.
> 
> Donald, I'm not sure what you mean by "a compromise of the CDN for *uploading*”.

PyPI trusts the CDN to give it the correct bits, without a signature from the author that is being verified uploading just relies on TLS again. The other PEP should close that gap though I believe.

Note: I have yet to read these PEPs so I’m just going by a casual glance of them.

---
Donald Stufft
PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20141230/aa28eb72/attachment.html>


More information about the Distutils-SIG mailing list