[Catalog-sig] File integrity checking and host blocking for EasyInstall
Richard Jones
richardjones at optushome.com.au
Fri Aug 19 01:15:29 CEST 2005
On Fri, 19 Aug 2005 09:08 am, Phillip J. Eby wrote:
> On Mon, 15 Aug 2005, Richard Jones wrote:
> > On Mon, 15 Aug 2005 09:06 am, Phillip J. Eby wrote:
> > > http://www.python.org/packages/source/s/setuptools/setuptools-0.5a13.zi
> > >p#md 5=91f31a9058330174640a867cf5d4de57
> >
> >Any idea what various "normal" browsers do when they encounter something
> > like this?
>
> Well, Firefox works fine. I haven't tried IE or Mozilla or anything
> else. That is a valid link above, so if you still have the original email
> you can click on it and see what happens. :)
I'll be wanting to hear feedback from someone who has IE before I make the
jump. I just worry too much, probably :)
> > > So, this is not a complete security solution, as it doesn't deal with
> > > end-to-end file integrity, and could easily be subverted by taking over
> > > a site somewhere in the middle (e.g. python.org). But until we have
> > > more of the cryptographic infrastructure in place, I think this plan
> > > could provide us with a good starting point. Comments, anyone?
> >
> >I presume the distutils discussion included the signing of packages that
> > PyPI supports?
>
> Yes; I have yet to encounter a signed package yet
http://www.python.org/pypi/roundup :)
Richard
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mail.python.org/pipermail/catalog-sig/attachments/20050819/57b9350b/attachment.pgp
More information about the Catalog-sig
mailing list