[pydotorg-www] project plan

Barry Warsaw barry at python.org
Tue Apr 20 16:16:30 CEST 2010

On Apr 20, 2010, at 09:37 AM, A.M. Kuchling wrote:

>I'm also concerned about the SVN/Hg repository; if there was a
>break-in on dinsdale, how would we go about ensuring nothing had been
>slipped into the source code?  GPG-signed tarballs are fairly easily
>checked, and Hg's use of hashing and distributed copies may make it
>easy to find changes there.

I don't know whether Mercurial has the same feature that Bazaar has, where
each revision can be signed, locally, on commit.  I always enable that for
everything I do.  I also don't know whether that can be enforced (e.g. ensure
on the server that on push, every revision is signed by a known gpg key).
That may not prevent corruption after a break-in, but it would make
post-attack analysis much easier.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/pydotorg-www/attachments/20100420/66688614/attachment.pgp>

More information about the pydotorg-www mailing list