[Catalog-sig] Fwd: [Draft] Package signing and verification process
martin at v.loewis.de
martin at v.loewis.de
Wed Feb 6 22:17:53 CET 2013
> Right, but then we are again back to trusting a central authority, in
> this case plone.org. If we can trust plone.org, why can't we trust
> Python.org?
Some people might be concerned that PyPI could have been hacked, spreading
viruses. Only signing by the original author can detect this attack.
> My suggestion earlier was that whatever system we have will by default
> trust python.org. Or heck, we can even let the tools ask if it should
> trust python.org. And then things are good.
That's pretty much the status quo, except that you need to verify that
you really "got" the package from python.org. For that, either a validation
of the (existing) SSL server certificate, or the validation of the
(existing) master mirror signatures would be sufficient.
Regards,
Martin
More information about the Catalog-SIG
mailing list