On Sat, Jun 19, 2010 at 8:58 AM, "Martin v. Löwis" <[email protected]> wrote: >> A simple way to protect against just the issue you mentioned is to >> have the clients retrieve the key over HTTPS or distribute the key >> with the client. > > Ok. I have now enabled https for PyPI (https://pypi.python.org/pypi)
Great. Assuming cert checking is implemented properly for the clients who retrieve your server's key, this will protect against many simple attacks. > I don't think adding another dependency to the clients is really acceptable. > Instead, it must all be self-contained. Okay, sounds good. We'll look elsewhere! Thanks, Justin _______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
