[Catalog-sig] Proposal: Move PyPI static data to the cloud for better availability
Justin Cappos
justinc at cs.washington.edu
Sat Jun 19 20:24:00 CEST 2010
On Sat, Jun 19, 2010 at 8:58 AM, "Martin v. Löwis" <martin at v.loewis.de> wrote:
>> A simple way to protect against just the issue you mentioned is to
>> have the clients retrieve the key over HTTPS or distribute the key
>> with the client.
>
> Ok. I have now enabled https for PyPI (https://pypi.python.org/pypi)
Great. Assuming cert checking is implemented properly for the
clients who retrieve your server's key, this will protect against many
simple attacks.
> I don't think adding another dependency to the clients is really acceptable.
> Instead, it must all be self-contained.
Okay, sounds good. We'll look elsewhere!
Thanks,
Justin
More information about the Catalog-SIG
mailing list