[Distutils] PEP draft on PyPI/pip package signing

Donald Stufft donald at stufft.io
Mon Jul 28 23:17:32 CEST 2014

On July 28, 2014 at 4:26:42 PM, Donald Stufft (donald at stufft.io) wrote:
> On July 28, 2014 at 1:42:54 PM, Giovanni Bajo (rasky at develer.com) wrote:
> >
> > I thus solicit a second round of review of my proposal; if you want me to upload to Google  
> > Docs for easier of commenting, I can do that as well. I would love to get the PEP to its final  
> > form and then ask for a pronouncement.
> >

Oh, I forgot to mention also about the package signing...

Actually *discovering* the packages which are to be installed is still
completely dependent on the security of TLS. This means if the TLS connection
was compromised then someone could trick people into being insecure by
presenting them a list of packages which is not complete and which only show
older, insecure ones that are missing important security updates thus tricking
someone into installing known vulnerable software.

Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

More information about the Distutils-SIG mailing list