[Pythonmac-SIG] Package Manager idea, adding a URL scheme
bob at redivi.com
Wed Oct 8 18:46:21 EDT 2003
On Oct 8, 2003, at 18:18, Jack Jansen wrote:
> On 9-okt-03, at 0:06, Eric Nieuwland wrote:
>> First there the maintainer of the PackMan database needs to be
>> assured that the source can be trusted. As there can be many sources,
>> this is a hard problem and ultimately would require a full-blown PKI.
>> Now I can hardly imagine anyone would like to set-up a PKI just for
>> fun. PGP probably is the way to go here.
> I don't think so: I think MD5 is good enough here. The scapegoat
> downloaded a specific source distribution and built it without
> problems. S/he gets the md5 sum of that distribution, puts the URL and
> md5sum in the database and can be sure that whatever the end user
> downloads is correct.
>> Then there is the end-user who has to be convinced s/he can trust the
>> PackMan database and the packages obtained through it. The discussion
>> on MD5/SHA-1 and SSL seem to cover that fine.
> And now that I know there is SSL support in MacPython (which very
> pleasantly surprised me!!)
> I think we can solve everything except for name server spoofing (by
> having a wellknown
> secure-http URL in the distribution, that we use to check MD5 sums).
> Since this is as good as Safari is (which doesn't complain at all
> about certificates
> signed by unknown parties! To my surprise it doesn't even seem to let
> you find this out!!)
> I think it's good enough for us.
Safari sure does complain about certs signed by unknown parties, and
even Mail.app does (in 10.3).
The website’s certificate was signed by an unknown certifying
authority. You might be connecting to a website that is pretending to
be “svn.mobwire.com” which could put your confidential information at
risk. Would you like to continue anyway?
I haven't found a way in Safari to look at the certs, but Mail.app lets
you look at certs.
More information about the Pythonmac-SIG