[Pythonmac-SIG] Package Manager idea, adding a URL scheme

Jack Jansen Jack.Jansen at cwi.nl
Fri Oct 3 04:50:31 EDT 2003

On Friday, October 3, 2003, at 12:37 AM, Bob Ippolito wrote:
>> But we should definitely allow for some sort of public key scheme to
>> be used. I've been toying with the idea of using the secure http of
>> your browser, something like a "check integrity" button that would
>> take the MD5 sum of the database, get an entry IntegrityCheck from
>> the database (of the form 
>> "https://www.python.org/pimp/integrity/%s.html")
>> fill in the md5sum and send your browser there. Probably the user
>> should get a dialog first (from pimp) explaining how to check the
>> integrity (look at the padlock) and what it means (you're only 
>> trusting
>> the fact that whoever maintains the website also created this pimp
>> database).
> I already purchased a GeoTrust (browsers trust this CA by default) SSL 
> certificate for pythonmac.org with this purpose in mind.  I'm not big 
> on the MD5 sums of databases thing, I think that it should be done 
> with signatures, a la GPG.  That way the author could update the 
> database, without python.org updating its, because the public key is 
> the same.

Sorry, I wasn't clear enough. There is no such thing as a central list 
of trusted packages.
Your database would have an IntegrityCheck of 
The integrity check succeeding would only mean that the database the 
user has on-disk is
indeed the exact same database as what you created, and by trusting the 
database the
end-user trusts you (or, actually, as you pointed out elsewhere, the 
end user trusts you and
your webhoster).

As md5 is included in the standard Python distribution, and its good 
enough for
testing document integrity I see no reason to use something more 
elaborate. A PGP signature
would allow offline verification, but the idea is that the https: 
integrity check URL
handles that bit.
Jack Jansen, <Jack.Jansen at cwi.nl>, http://www.cwi.nl/~jack
If I can't dance I don't want to be part of your revolution -- Emma 

More information about the Pythonmac-SIG mailing list