[Catalog-sig] repository security concerns
Kapil Thangavelu
k_vertigo@yahoo.com
Sun, 10 Mar 2002 14:42:48 -0800 (PST)
hi folks,
one of my biggest concerns with a python-repository is
dealing with security, as the repository is enabling
of a framework of automatic installation of software
and will also tend to serve as a primary source of
python packages for manual installations.
i'm interested in attempts to make some sort of
end-to-end (uploader->downloader) security checks. but
i don't want to increase developer overhead more than
what people are willing to do.
so here's a first attempt at a model.
uploaders will have a copy of their public keys stored
on the repository. a new distribution files should
have their checksums signed and uploaded as well. all
uploading should take place over ssl. a file, its
signature, and the public key of the uploader will be
made available for download for verification by the
end user or an automated tool.
is there an easier way to try and insure end-to-end
security or are there flaws in the above model? does
it require too much of the developer? should the
repository even be attempting to be secure?
thanks
kapil thangavelu
__________________________________________________
Do You Yahoo!?
Try FREE Yahoo! Mail - the world's greatest free email!
http://mail.yahoo.com/