On Wednesday, February 13, 2013 at 5:29 AM, Robert Collins wrote: > On 13 February 2013 15:12, Giovanni Bajo <[email protected] > (mailto:[email protected])> wrote: > > > Yes, that's correct. GPG chain-of-trust concept is not used in my proposal, > > because I don't think it would be a good fit for this problem given its > > requirements. Specifically, I believe pip users should not be bothered with > > useless click-through questions for each new package they install, which is > > what you would get far too often in case chain-of-trust were used. > > > > > But this means someone that gets access to the PyPI server can just > mark their own key as trusted and compromise any package they want. > > -Rob > I used to have the same idealistic idea that we should be able to *not* trust PyPI for the average user. However PyPI *is* the final authority on who has the right to publish to what name. It would be a bit like trying to determine if the PSF owns python.org without involving the company running the .org TLD.
_______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
