[Pythonmac-SIG] Package Manager idea, adding a URL scheme

[Jack Jansen]

On 9-okt-03, at 0:06, Eric Nieuwland wrote:
> First there the maintainer of the PackMan database needs to be assured 
> that the source can be trusted. As there can be many sources, this is 
> a hard problem and ultimately would require a full-blown PKI. Now I 
> can hardly imagine anyone would like to set-up a PKI just for fun. PGP 
> probably is the way to go here.

I don't think so: I think MD5 is good enough here. The scapegoat 
downloaded a specific source distribution and built it without 
problems. S/he gets the md5 sum of that distribution, puts the URL and 
md5sum in the database and can be sure that whatever the end user 
downloads is correct.

> Then there is the end-user who has to be convinced s/he can trust the 
> PackMan database and the packages obtained through it. The discussion 
> on MD5/SHA-1 and SSL seem to cover that fine.

And now that I know there is SSL support in MacPython (which very 
pleasantly surprised me!!)
I think we can solve everything except for name server spoofing (by 
having a wellknown
secure-http URL in the distribution, that we use to check MD5 sums).

Since this is as good as Safari is (which doesn't complain at all about 
certificates
signed by unknown parties! To my surprise it doesn't even seem to let 
you find this out!!)
I think it's good enough for us.
--
Jack Jansen, <Jack.Jansen at cwi.nl>, http://www.cwi.nl/~jack
If I can't dance I don't want to be part of your revolution -- Emma 
Goldman