[Pythonmac-SIG] Package manager notes
bob at redivi.com
Wed Oct 8 21:45:08 EDT 2003
On Oct 8, 2003, at 15:37, amk at amk.ca wrote:
> * Note that PyCrypto doesn't help with verifying SSL server
> these are two different levels, and complicated tasks like ASN.1
> separate them. We could either fix the socket module to support
> certificate verification, or we could use bits of PyCrypto to
> check signatures on a file.
> It would be possible to include a signature-only algorithm such as
> DSA in Python, subject to Guido's veto, but that's a non-trivial
> amount of
> packaging work, though, because it would need infrastructure for
> generating prime numbers, etc.
PyOpenSSL or M2Crypto are what one would probably use for this. This
is a perfectly fine solution for OS X, since all versions of OS X (that
I'm aware of) come with OpenSSL out of the box. Windows does not, but
Microsoft has cryptography APIs that could be wrapped for this purpose.
I think the consensus is that Guido will probably veto any kind of
possibly-illegal-somewhere crypto in the Python core, but I see no
reason why we shouldn't be able to wrap the SSL stuff if the OS comes
with a dynamic library that does it all (Python already ships like
this, with limited SSL capability). I'd love to get PyCrypto in
Python, but from the discussions I've been pointed to at python-dev
make me think it will probably not happen.
In any case, I don't think it will be so important to get lots of
batteries in the Python core if people can just use PackMan to install
things quick and easy. For versions of Python that ship with SSL
certificate verification support it could come with enough information
to verify the authenticity of the main PackMan database. Other
versions could maybe ship with the hash and URL of a cryptography
package and the public key of the main PackMan database, which should
be relatively safe if the user is allowed to use cryptography.
Otherwise, they're on their own as far as security goes.
More information about the Pythonmac-SIG