[Pythonmac-SIG] PackageManager / Python 2.3.x - 2.4 ideas

Bugbee, Larry larry.bugbee at boeing.com
Thu Jul 31 16:56:25 EDT 2003 

Have you considered M2Crypto on top of OpenSSL?  The work I've 
done with it works well.

Larry



-----Original Message-----
From: Bob Ippolito [mailto:bob at redivi.com]
Sent: Thursday, July 31, 2003 3:28 PM
To: pythonmac-sig at python.org
Subject: Re: [Pythonmac-SIG] PackageManager / Python 2.3.x - 2.4 ideas


On Wednesday, Jul 30, 2003, at 17:01 America/New_York, Bob Ippolito 
wrote:

> Have a cryptographically authenticated way of determining the 
> authenticity of 'stuff'.  My search to find a pure python way to do 
> this failed miserably, *everyone* is using C sourcecode for this.  So 
> my proposal for this would be to have two options (1) execute the 
> openssl utility if available (2) use pyOpenSSL to do it.  With CPAN 
> for example, if you don't have a perl module to do something, it will 
> use whatever shell utility it can find to do the task until you 
> actually install the module that CPAN is looking for.  I'm doing some 
> research to figure out what would be a good way to actually execute 
> this.  I'm thinking that Python becomes a central CA, and package 
> repository maintainers get certificates from the Python CA.  Perhaps 
> it may also be possible to have a package repository maintainer 
> authorize an individual package maintainer to manage their package 
> (perform releases directly without bothering the package repository 
> maintainer), perhaps these could live in an "experimental" repository, 
> and then upon approval from a package repository maintainer goes into 
> the "official" repository.  OpenSSL also guarantees that we don't 
> really have to worry about how secure the implementation is so long as 
> the application is otherwise securely designed.  Allow users to trust 
> additional CAs, store those as a preference.
>
> The current infrastructure that uses PackageManager is susceptible to 
> all kinds of attacks (any sort of 'man in the middle' attack: dns 
> spoofing, server hacking, etc).

Ok I looked really hard at this stuff and found out a couple things:
	1)  The openssl command line tool sucks
	2)  There's just no way to do it from pure python
	3)  GPG / OpenPGP is probably the most acceptable solution

So until we get a python implementation of OpenPGP (I think we're about 
half way there with pyCrypto, which isn't pure python but is at least 
under the CNRI Python License), we'll just have to depend on GPG for 
authentication of stuff.  I'll try and figure out how to implement it 
sometime soon.

-bob


_______________________________________________
Pythonmac-SIG maillist  -  Pythonmac-SIG at python.org
http://mail.python.org/mailman/listinfo/pythonmac-sig

More information about the Pythonmac-SIG mailing list