[Pythonmac-SIG] Package Manager idea, adding a URL scheme
bob at redivi.com
Fri Oct 3 18:57:02 EDT 2003
On Friday, Oct 3, 2003, at 18:32 America/New_York, Jack Jansen wrote:
> On 3-okt-03, at 23:21, Glenn Andreas wrote:
>> I'm clearly missing something here, because if we have the databases
>> come from a trusted source (python.org) using SSL,
> This is what you're missing: we cannot use SSL to transfer the
> database, because
> core Python has no SSL support.
> We expect the end user to trust a number of entities (because a hole
> in any
> of these would make the whole excercise pointless):
> 1. Apple, anyone with admin access to their machine, and all the other
> parties involved with local infrastructure.
> 2. The Python maintainers.
> 3. The installed Python distribution, including PackMan (either because
> it was Apple-provided, or because people checked the signature on
> website download page).
> 4. The scapegoat.
> 5. Anyone the scapegoat trusts wrt. web distribution (their webhoster,
> key-signing Trusted Third Party).
When using PGP or something like it to sign the package list, #5 can be
eliminated, because the scapegoat is the key signing entity and the web
hoster does not have the private key.
More information about the Pythonmac-SIG