PackMan security (was: [Pythonmac-SIG] FAQ item)

[Jack Jansen]

On dinsdag, jul 29, 2003, at 21:29 Europe/Amsterdam, Bob Ippolito wrote:

> I'd also like to mention that there are some pretty *serious security 
> flaws* with the current way Package Manager works that should be 
> higher priority than making it pretty.  We need to start a new thread 
> discussing this.. is this the proper SIG for it?

I'm not sure what the right place to discuss this is. Let's keep it 
here, for now.
I plan to do a PEP later, but as PackMan solves a real problem I didn't 
want to get
bogged down by zillions of people all trying to bend PackMan to their 
own needs
until 2.3 was out.

Let's hear about the security flaws. The only one I'm aware of is that 
the URL
that is built in to packman isn't secure HTTP. From that point on I was 
under the
impression that everything was secure. Or, "secure", let me rephrase 
that: there
is only one person you put your trust in, and that is the person who 
created the
database.
--
- Jack Jansen        <Jack.Jansen at oratrix.com>        
http://www.cwi.nl/~jack -
- If I can't dance I don't want to be part of your revolution -- Emma 
Goldman -