On Wednesday, February 6, 2013 at 4:17 PM, [email protected] wrote:
> > Right, but then we are again back to trusting a central authority, in > > this case plone.org (http://plone.org). If we can trust plone.org > > (http://plone.org), why can't we trust > > Python.org (http://Python.org)? > > > > Some people might be concerned that PyPI could have been hacked, spreading > viruses. Only signing by the original author can detect this attack. > > > My suggestion earlier was that whatever system we have will by default > > trust python.org (http://python.org). Or heck, we can even let the tools > > ask if it should > > trust python.org (http://python.org). And then things are good. > > > > That's pretty much the status quo, except that you need to verify that > you really "got" the package from python.org (http://python.org). For that, > either a validation > of the (existing) SSL server certificate, or the validation of the > (existing) master mirror signatures would be sufficient. > > Regards, > Martin > FYI; we will be moving to a Class 2 official cert for the foundation soon - Noah is working on the load balancer, and I can issue certs for the foundation at will. _______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
