[Catalog-sig] Add link to secure connection to the PyPI front page

Justin Cappos justinc at cs.washington.edu
Sat Jun 4 22:37:28 CEST 2011 

It depends on the threat model which is worse.

If you're worried about the Chinese govt inserting malicious packages
to track dissidents then using an universally accepted SSL cert is a
bad idea.   It's easy for a powerful and motivated attacker to get
arbitrary certs signed.

If you think that the risk of having the certificate stolen, loss of
administrative control, etc. is a bigger threat, then an universally
accepted SSL cert seems the wiser outcome.

Of course, if distutils and other tools don't check certs, etc. this
is all academic...

Thanks,
Justin

On Sat, Jun 4, 2011 at 1:30 PM, M.-A. Lemburg <mal at egenix.com> wrote:
> "Martin v. Löwis" wrote:
>>> Which makes me wonder, why is it that PyPI doesn't use a universally
>>> accepted SSL cert instead of the CAcert one? Note: I'm a CAcert assurer
>>> myself but would prefer using a cert by one of the commercial CAs for
>>> the sake of the users.
>>>
>>> Any opinions?
>>
>> Primarily because of lack of volunteer time. Buying a certificate is
>> a big effort, issuing a cacert one is simple.
>>
>> And before anybody says "no, it's not difficult", or "no, it shouldn't
>> be difficult", please consider volunteering for the next ten years to
>> manage the PSF server certificates (as one of the key problems that
>> makes it difficult is that responsibilities change so often with
>> volunteers).
>
> Perhaps we could get Pat, the PSF secretary and administrator
> to deal with the paperwork that's needed to get a certificate.
>
> Installing it is not really such a major task, once you have
> the paperwork done. Should we take this to the PSF board for
> discussion ?
>
> --
> Marc-Andre Lemburg
> eGenix.com
>
> Professional Python Services directly from the Source  (#1, Jun 04 2011)
>>>> Python/Zope Consulting and Support ...        http://www.egenix.com/
>>>> mxODBC.Zope.Database.Adapter ...             http://zope.egenix.com/
>>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
> ________________________________________________________________________
> 2011-05-23: Released eGenix mx Base 3.2.0      http://python.egenix.com/
> 2011-05-25: Released mxODBC 3.1.1              http://python.egenix.com/
> 2011-06-20: EuroPython 2011, Florence, Italy               16 days to go
>
> ::: Try our new mxODBC.Connect Python Database Interface for free ! ::::
>
>
>   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
>    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
>           Registered at Amtsgericht Duesseldorf: HRB 46611
>               http://www.egenix.com/company/contact/
> _______________________________________________
> Catalog-SIG mailing list
> Catalog-SIG at python.org
> http://mail.python.org/mailman/listinfo/catalog-sig
>

More information about the Catalog-SIG mailing list