[Pythonmac-SIG] Package Manager idea, adding a URL scheme

Bob Ippolito bob at redivi.com
Wed Oct 8 18:46:21 EDT 2003

On Oct 8, 2003, at 18:18, Jack Jansen wrote:

> On 9-okt-03, at 0:06, Eric Nieuwland wrote:
>> First there the maintainer of the PackMan database needs to be 
>> assured that the source can be trusted. As there can be many sources, 
>> this is a hard problem and ultimately would require a full-blown PKI. 
>> Now I can hardly imagine anyone would like to set-up a PKI just for 
>> fun. PGP probably is the way to go here.
> I don't think so: I think MD5 is good enough here. The scapegoat 
> downloaded a specific source distribution and built it without 
> problems. S/he gets the md5 sum of that distribution, puts the URL and 
> md5sum in the database and can be sure that whatever the end user 
> downloads is correct.
>> Then there is the end-user who has to be convinced s/he can trust the 
>> PackMan database and the packages obtained through it. The discussion 
>> on MD5/SHA-1 and SSL seem to cover that fine.
> And now that I know there is SSL support in MacPython (which very 
> pleasantly surprised me!!)
> I think we can solve everything except for name server spoofing (by 
> having a wellknown
> secure-http URL in the distribution, that we use to check MD5 sums).
> Since this is as good as Safari is (which doesn't complain at all 
> about certificates
> signed by unknown parties! To my surprise it doesn't even seem to let 
> you find this out!!)
> I think it's good enough for us.

Safari sure does complain about certs signed by unknown parties, and 
even Mail.app does (in 10.3).

 From Safari:
The website’s certificate was signed by an unknown certifying 
authority. You might be connecting to a website that is pretending to 
be “svn.mobwire.com” which could put your confidential information at 
risk. Would you like to continue anyway?

I haven't found a way in Safari to look at the certs, but Mail.app lets 
you look at certs.


More information about the Pythonmac-SIG mailing list