[pydotorg-www] project plan

"Martin v. Löwis" martin at v.loewis.de
Mon Apr 19 22:51:36 CEST 2010

> https://blogs.apache.org/infra/entry/apache_org_04_09_2010 describes a
> recent attack on apache.org in detail.  The attack seems to have been
> targeted at ASF specifically, though the motivation is unknown
> (trojaning code releases or SVN repositories? getting passwords of
> developer who work for companies of interest).  Considering the number
> of people who complain that when PyPI is down, they can't build
> things, I think a fair number of build/installation processes download
> things from PyPI and install them, so we could find PSF servers the
> target of a similar attack.

I don't think this should primarily belong to Richard's plan. Instead,
if you have a specific idea of how this can be solved, please post it
to catalog-sig.

About the only approach I can think of is PGP signing by the actual
package authors, which is already supported in PyPI (but not in
setuptools/distribute, AFAIK). We could strengthen this with our own web
of trust within the community of PyPI users, which would take
some time to setup. We could also encourage the use of CACert user
certificates for code signing in stead/in addition.


More information about the pydotorg-www mailing list