[Pythonmac-SIG] Package manager notes

[Bob Ippolito]

On Oct 8, 2003, at 15:37, amk at amk.ca wrote:

> * Note that PyCrypto doesn't help with verifying SSL server 
> certificates;
>   these are two different levels, and complicated tasks like ASN.1 
> parsing
>   separate them.  We could either fix the socket module to support 
> server
>   certificate verification, or we could use bits of PyCrypto to
>   check signatures on a file.
>
>   It would be possible to include a signature-only algorithm such as
>   DSA in Python, subject to Guido's veto, but that's a non-trivial 
> amount of
>   packaging work, though, because it would need infrastructure for
>   generating prime numbers, etc.

PyOpenSSL or M2Crypto are what one would probably use for this.  This 
is a perfectly fine solution for OS X, since all versions of OS X (that 
I'm aware of) come with OpenSSL out of the box.  Windows does not, but 
Microsoft has cryptography APIs that could be wrapped for this purpose.

I think the consensus is that Guido will probably veto any kind of 
possibly-illegal-somewhere crypto in the Python core, but I see no 
reason why we shouldn't be able to wrap the SSL stuff if the OS comes 
with a dynamic library that does it all (Python already ships like 
this, with limited SSL capability).  I'd love to get PyCrypto in 
Python, but from the discussions I've been pointed to at python-dev 
make me think it will probably not happen.

In any case, I don't think it will be so important to get lots of 
batteries in the Python core if people can just  use PackMan to install 
things quick and easy.  For versions of Python that ship with SSL 
certificate verification support it could come with enough information 
to verify the authenticity of the main PackMan database.  Other 
versions could maybe ship with the hash and URL of a cryptography 
package and the public key of the main PackMan database, which should 
be relatively safe if the user is allowed to use cryptography.  
Otherwise, they're on their own as far as security goes.

-bob