[Catalog-sig] SSL for PyPI
"Martin v. Löwis"
martin at v.loewis.de
Wed Feb 24 20:10:45 CET 2010
Martin v. Löwis wrote:
>> Sorry if this is the wrong group (if it is, please redirect me to the
>> proper list), but I'd like suggest that PyPI be available via SSL
>> protection.
>
> Notice that it already supports SSH access for this very purpose.
Ah. For that, download tools should use the server signatures protocol,
i.e. access (e.g.)
http://pypi.python.org/serversig/roundup
This will also allow to verify the authenticity of mirrors that follow
PEP 381.
Download tools should cache the server key (and might also chose to
hard-code it). Exact roll-over procedures are not defined yet, but I
plan to always sign the next key with the previous one.
Regards,
Martin
More information about the Catalog-SIG
mailing list