[Pythonmac-SIG] Package Manager idea, adding a URL scheme

Eric Nieuwland eric.nieuwland at xs4all.nl
Thu Oct 9 14:04:25 EDT 2003

Jack Jansen said:
> On 9-okt-03, at 0:06, Eric Nieuwland wrote:
>> First there the maintainer of the PackMan database needs to be assured
>> that the source can be trusted. As there can be many sources, this is
>> a hard problem and ultimately would require a full-blown PKI. Now I
>> can hardly imagine anyone would like to set-up a PKI just for fun. PGP
>> probably is the way to go here.
> I don't think so: I think MD5 is good enough here. The scapegoat
> downloaded a specific source distribution and built it without
> problems. S/he gets the md5 sum of that distribution, puts the URL and
> md5sum in the database and can be sure that whatever the end user
> downloads is correct.

OK. I assumed that the scapegoat would like to know for sure where the
code came from. Otherwise, s/he has to either trust the source and thus
the developer or review and test every package.

>> Then there is the end-user who has to be convinced s/he can trust the
>> PackMan database and the packages obtained through it. The discussion
>> on MD5/SHA-1 and SSL seem to cover that fine.
> And now that I know there is SSL support in MacPython (which very
> pleasantly surprised me!!)
> I think we can solve everything except for name server spoofing (by
> having a wellknown
> secure-http URL in the distribution, that we use to check MD5 sums).

Now if we could use a fixed IP-address for the next ten years or so, then
we could by-pass the name server and avoid the spoofing issue.

More information about the Pythonmac-SIG mailing list