[Python-Dev] Thoughts fresh after EuroPython
geremy condra
debatem1 at gmail.com
Mon Jul 26 16:29:14 CEST 2010
On Mon, Jul 26, 2010 at 7:21 AM, Tarek Ziadé <ziade.tarek at gmail.com> wrote:
> On Mon, Jul 26, 2010 at 2:10 PM, geremy condra <debatem1 at gmail.com> wrote:
>> On Mon, Jul 26, 2010 at 4:52 AM, Tarek Ziadé <ziade.tarek at gmail.com> wrote:
>>> On Mon, Jul 26, 2010 at 1:20 PM, geremy condra <debatem1 at gmail.com> wrote:
>>>> On Mon, Jul 26, 2010 at 4:02 AM, Tarek Ziadé <ziade.tarek at gmail.com> wrote:
>>>>> On Sat, Jul 24, 2010 at 4:08 PM, Guido van Rossum <guido at python.org> wrote:
>>>>
>>>> <snip>
>>>>
>>>>>> Mirroring apparently also
>>>>>> requires some client changes.
>>>>>
>>>>> Mirrors can be used as long as you manually point a mirror when using
>>>>> them. We we are working on making the
>>>>> switch automatic.
>>>>
>>>> I think we've talked briefly about this before, but let me reiterate
>>>> that getting this right from a security point of view is quite a bit
>>>> harder than it at first appears, and IMHO it is worth getting right.
>>>
>>> FWIW, Martin has added a section about mirror authenticity in the PEP:
>>>
>>> http://www.python.org/dev/peps/pep-0381/#mirror-authenticity
>>
>> This is more-or-less what was discussed earlier, and from what's
>> described here I think the concerns I voiced stand. What's the right
>> way to do disclosure on this sort of issue?
>
> I would recommend discussing it in Distutils-SIG and proposing a
> change to that PEP.
I've noticed that I don't have a lot of success in shifting this kind
of debate, so I'm not sure it's a good idea to publicly discuss
vulnerabilities in something that may wind up being implemented as-is,
but it's up to you guys.
Geremy Condra
More information about the Python-Dev
mailing list