[Pythonmac-SIG] Package Manager idea, adding a URL scheme

[Jack Jansen]

On 3-okt-03, at 19:41, Kevin Ollivier wrote:

> Hi all,
>
> What about making it an 'add-on' for Package Manager? I do see this as 
> getting potentially very messy to get into Python core, if it is even 
> possible. (And even if we could, it would restrict ways in which 
> vendors from other countries could re-package the software - i.e. 
> Linux vendor X in country Y may have to remove PM from their distro 
> because of legal issues) Just make a prompt when the software is first 
> run, saying something like: "While every effort is made to ensure that 
> packages are legitimate and safe, some packages could contain viruses 
> or malicious code that when run could cause harm to your computer. 
> Please be aware that there is some risk involved, especially if you 
> are loading Package Manager databases from non-official sources. If 
> your country allows the import and use of cryptographic software, you 
> may download an update to Package Manager that adds more verification 
> controls for package authors from 'your URL here'." Or of course make 
> the add-in show up in PackageManager itself. =) I think this is a 
> compromise which side-steps any legal issues that might arise.

Very good idea! So we construct PackMan in such a way that it first
tries a secure HTTP connection, and if that fails due to SSL support not
being available in Python it shows the message.

But: I don't think the SSL support should be downloadable through 
PackMan,
PackMan should point you to an https: URL to load it in a trusted way.
After it's securely transferred to your machine PackMan can take over 
again.
--
Jack Jansen, <Jack.Jansen at cwi.nl>, http://www.cwi.nl/~jack
If I can't dance I don't want to be part of your revolution -- Emma 
Goldman