"Martin v. Löwis" wrote: >> * How will clients be sure that they are getting the correct key ? > > They should initially download it from the master server (when that is > online) and cache it.
So they'll use HTTPS and check the server certificate as well ? >> * What would a client do if the PyPI server is down ? > > Isn't that straight-forward? If the local cache doesn't have the server key, the tools would have to download it from somewhere and if the main server is down, that's not possible, so you reintroduce a single point of failure. >> * How would clients protect their local cached copy of the >> server key against manipulation ? > > Using standard operating system access control. So clients will have to be careful to get this right. >> * Without access to OpenSSL and M2Crypto, how would clients >> apply the check ? > > distribute could include a pure-python checking function. The API > was specifically designed to make this possible. Do you have a pure-Python DSA and PEM/DER parsing function available ? Wouldn't a set of hex dumps be easier to parse ? >> Also, please consider that access to crypto code is restricted >> in some parts of the world. Users in those countries would have >> to be able to turn off verification. > > Most certainly. The simplest approach would be to turn off mirror usage > in the first place. If you do use mirrors, it is then a matter of your > own risk evaluation whether you want the mirror result verified. > > Notice that none of this protects against the master server being > tempered; the only way to protect against that is to use the PGP signing > feature in PyPI (which, of course, package authors must use). Right, it's just an end-to-end authentication. -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Jun 15 2010) >>> Python/Zope Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ 2010-07-19: EuroPython 2010, Birmingham, UK 33 days to go ::: Try our new mxODBC.Connect Python Database Interface for free ! :::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ _______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
