[Catalog-sig] Use user-specific site-packages by default?
Donald Stufft
donald.stufft at gmail.com
Tue Feb 5 16:09:12 CET 2013
On Tuesday, February 5, 2013 at 10:06 AM, Giovanni Bajo wrote:
> I do agree; in fact, I'm not the one suggesting to eg. pinning CA certificates.
>
> What I'm saying is that it's far more important to fix HTTPS in PyPI than to verify GPG signatures. So when I hear the argument "if we just verify GPG signatures, that would be enough", I must disagree and explain why it's not true.
Good. Simplying pinning a non browser trusted cert isn't good enough because a browser is an
avenue for a MITM too, so we need to secure all the possible egress and ingress points. Once
we have a system where we are reasonably secure when we assume PyPI is still a good
faith actor we can then worry about solving the much harder problems.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130205/f4a52a44/attachment.html>
More information about the Catalog-SIG
mailing list