[pydotorg-www] project plan

A.M. Kuchling amk at amk.ca
Tue Apr 20 15:37:34 CEST 2010

On Mon, Apr 19, 2010 at 11:57:29PM +0200, "Martin v. Löwis" wrote:
> In a sense, it does: AMK suggested that security should be part of the
> requirements for a revamp, with a view on distutils/setuptools, which
> should only download "trusted" code. So in this respect, the revamp

I'm also concerned about the SVN/Hg repository; if there was a
break-in on dinsdale, how would we go about ensuring nothing had been
slipped into the source code?  GPG-signed tarballs are fairly easily
checked, and Hg's use of hashing and distributed copies may make it
easy to find changes there.

I'd argue to have a separate download site that's very small and
static, and lives on the same server as SVN/Hg.  New dynamic stuff
would be run on a different server, or in a VM, so that a break-in
wouldn't risk the primary asset, the code.


More information about the pydotorg-www mailing list