On Tuesday, February 5, 2013 at 10:06 AM, Giovanni Bajo wrote: > I do agree; in fact, I'm not the one suggesting to eg. pinning CA > certificates. > > What I'm saying is that it's far more important to fix HTTPS in PyPI than to > verify GPG signatures. So when I hear the argument "if we just verify GPG > signatures, that would be enough", I must disagree and explain why it's not > true. Good. Simplying pinning a non browser trusted cert isn't good enough because a browser is an avenue for a MITM too, so we need to secure all the possible egress and ingress points. Once we have a system where we are reasonably secure when we assume PyPI is still a good faith actor we can then worry about solving the much harder problems.
_______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
