[pydotorg-www] project plan
Steve Holden
steve at holdenweb.com
Tue Apr 20 22:12:52 CEST 2010
Martin v. Löwis wrote:
> A.M. Kuchling wrote:
>> On Mon, Apr 19, 2010 at 11:57:29PM +0200, "Martin v. Löwis" wrote:
>>> In a sense, it does: AMK suggested that security should be part of the
>>> requirements for a revamp, with a view on distutils/setuptools, which
>>> should only download "trusted" code. So in this respect, the revamp
>> I'm also concerned about the SVN/Hg repository; if there was a
>> break-in on dinsdale, how would we go about ensuring nothing had been
>> slipped into the source code? GPG-signed tarballs are fairly easily
>> checked, and Hg's use of hashing and distributed copies may make it
>> easy to find changes there.
>>
>> I'd argue to have a separate download site that's very small and
>> static, and lives on the same server as SVN/Hg. New dynamic stuff
>> would be run on a different server, or in a VM, so that a break-in
>> wouldn't risk the primary asset, the code.
>
> Ah, if that's your concern, and solution (i.e. avoid dynamic web sites
> on machines having critical code), then I'm with you. That's certainly
> desirable, and also within scope of this project.
I certainly can't see any really good reason why the distributions have
to be inside a dynamic web site. And as far as the code goes, the more
protection the better.
regards
Steve
--
Steve Holden +1 571 484 6266 +1 800 494 3119
See PyCon Talks from Atlanta 2010 http://pycon.blip.tv/
Holden Web LLC http://www.holdenweb.com/
UPCOMING EVENTS: http://holdenweb.eventbrite.com/
More information about the pydotorg-www
mailing list