On Tuesday, February 5, 2013 at 9:24 AM, Daniel Holth wrote: > As long as you are trusting PyPI itself, a PyPI-hosted/signed/timestamped > SHA2 hash of the file to be downloaded from an external host would be enough > to detect tampering over time. You could do this, still lowers the overall availability of the system which kinda sucks, and to actually be sane and secure you'd still need to rework the current method of trolling for external urls. > > pip could come with a copy of PyPI's ssl certificate, verifying that it was > identical to the expected cert rather than signed by one of 100s of trusted > CAs. That loses the ability to change PyPI's SSL cert, basically forever and still doesn't protect MITM against someone logging into PyPI through a browser.
_______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
