On Tuesday, February 5, 2013 at 10:41 AM, holger krekel wrote: > MITM attacking any of the many world-wide pypi/easy_install downloads > from external sites is much easier than tampering a few one-time > downloads (verified against each other) for pypi.python.org > (http://pypi.python.org)'s > serving purposes. By contrast, changing client-side tools and > defaults is going to take much longer and will not reach everybody. > > IOW, i believe that improving the serving side good low hanging > fruit. > >
Besides the issues with validating that the package We are mirroring is the authentic one there's also a legal issue. We don't know for sure that we have the legal rights to redistribute those files. When you upload a file to PyPI you grant the PSF a license to do that, no upload from the author = no license. IANAL but i think i'm correct on that.
_______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
