[Pythonmac-SIG] Package Manager idea, adding a URL scheme

Kevin Ollivier kevino at tulane.edu
Fri Oct 3 13:41:40 EDT 2003 

Hi all,

What about making it an 'add-on' for Package Manager? I do see this as 
getting potentially very messy to get into Python core, if it is even 
possible. (And even if we could, it would restrict ways in which 
vendors from other countries could re-package the software - i.e. Linux 
vendor X in country Y may have to remove PM from their distro because 
of legal issues) Just make a prompt when the software is first run, 
saying something like: "While every effort is made to ensure that 
packages are legitimate and safe, some packages could contain viruses 
or malicious code that when run could cause harm to your computer. 
Please be aware that there is some risk involved, especially if you are 
loading Package Manager databases from non-official sources. If your 
country allows the import and use of cryptographic software, you may 
download an update to Package Manager that adds more verification 
controls for package authors from 'your URL here'." Or of course make 
the add-in show up in PackageManager itself. =) I think this is a 
compromise which side-steps any legal issues that might arise.

Thanks,

Kevin

On Friday, October 3, 2003, at 10:02  AM, Michael Hudson wrote:

> Bob Ippolito <bob at redivi.com> writes:
>
>> On Friday, Oct 3, 2003, at 12:04 America/New_York, Michael Hudson 
>> wrote:
>>
>>> There are ghastly legal issues that obstruct crypto support (there
>>> have been threads on python-dev about this) and there's also a code
>>> quality/ease of maintenence issue about pyCrypto itself (I have no
>>> idea about it in this regard).
>>
>> According to the homepage:
>> With the relaxing of US export controls for encryption software, it's
>> now possible to distribute cryptographic source code and export it
>> from the US, so now anyone in the world can download the Python
>> Cryptography Toolkit.
>
> OK, so that means it's legal for the authors of pyCrypto to "export"
> the software from the US -- that doesn't have a lot to do with whether
> it's legal for the person on the other end to use the software.
>
>> What are the remaining legal issues?  Can you point me to any
>> semi-recent threads?  I thought that since the laws were eased up in
>> the US it was pretty safe to throw around cryptography software.
>
> That only changed the situation in the US (and given where
> www.python.org *is* and how Python is developed... well, I don't
> understand it all).
>
> Here's the thread I was thinking of:
>
> http://mail.python.org/pipermail/python-dev/2003-April/034957.html
>
> Marc-Andre Lemburg's posts are the depressing ones.
>
>> Note that the intended use for PackMan isn't cryptography per se, it's
>> cryptographic authentication.  The documents themselves won't be
>> encrypted, but will be signed cryptographically for authentication
>> purposes only.
>
> This *might* make a difference (but only if pyCrypto can be sliced up
> so that you can distribute a portion that can only do authentication).
>
> Given that RSA is easily (if not efficiently) implementable in Python,
> I share your probably opinion that this is all a pile of poo -- but I
> didn't write the world's laws.
>
>> As for code quality / ease of maintenance, a cursory glance of the
>> source code makes me think that it looks clean, commented where it
>> matters, and it's got unit tests that are less than trivial.
> [snippety]
>
> This doesn't seem to be a problem, then.
>
> Cheers,
> mwh
>
> -- 
>   Just put the user directories on a 486 with deadrat7.1 and turn the
>   Octane into the afforementioned beer fridge and keep it in your
>   office. The lusers won't notice the difference, except that you're
>   more cheery during office hours.              -- Pim van Riezen, asr
>
> _______________________________________________
> Pythonmac-SIG maillist  -  Pythonmac-SIG at python.org
> http://mail.python.org/mailman/listinfo/pythonmac-sig
>

More information about the Pythonmac-SIG mailing list