[Pythonmac-SIG] Package Manager idea, adding a URL scheme
Jack Jansen
Jack.Jansen at cwi.nl
Wed Oct 8 18:18:19 EDT 2003
On 9-okt-03, at 0:06, Eric Nieuwland wrote:
> First there the maintainer of the PackMan database needs to be assured
> that the source can be trusted. As there can be many sources, this is
> a hard problem and ultimately would require a full-blown PKI. Now I
> can hardly imagine anyone would like to set-up a PKI just for fun. PGP
> probably is the way to go here.
I don't think so: I think MD5 is good enough here. The scapegoat
downloaded a specific source distribution and built it without
problems. S/he gets the md5 sum of that distribution, puts the URL and
md5sum in the database and can be sure that whatever the end user
downloads is correct.
> Then there is the end-user who has to be convinced s/he can trust the
> PackMan database and the packages obtained through it. The discussion
> on MD5/SHA-1 and SSL seem to cover that fine.
And now that I know there is SSL support in MacPython (which very
pleasantly surprised me!!)
I think we can solve everything except for name server spoofing (by
having a wellknown
secure-http URL in the distribution, that we use to check MD5 sums).
Since this is as good as Safari is (which doesn't complain at all about
certificates
signed by unknown parties! To my surprise it doesn't even seem to let
you find this out!!)
I think it's good enough for us.
--
Jack Jansen, <Jack.Jansen at cwi.nl>, http://www.cwi.nl/~jack
If I can't dance I don't want to be part of your revolution -- Emma
Goldman
More information about the Pythonmac-SIG
mailing list