On 14 Feb 2013 03:59, "Donald Stufft" <[email protected]> wrote: > > On Wednesday, February 13, 2013 at 5:29 AM, Robert Collins wrote: >> >> On 13 February 2013 15:12, Giovanni Bajo <[email protected]> wrote: >> >>> Yes, that's correct. GPG chain-of-trust concept is not used in my proposal, >>> because I don't think it would be a good fit for this problem given its >>> requirements. Specifically, I believe pip users should not be bothered with >>> useless click-through questions for each new package they install, which is >>> what you would get far too often in case chain-of-trust were used. >> >> >> But this means someone that gets access to the PyPI server can just >> mark their own key as trusted and compromise any package they want. >> >> -Rob >> > I used to have the same idealistic idea that we should be able to > *not* trust PyPI for the average user. However PyPI *is* the final > authority on who has the right to publish to what name. It would be > a bit like trying to determine if the PSF owns python.org without > involving the company running the .org TLD.
I see it as similar to the SSL CA system - it has plenty of known flaws, but still closes a whole lot of attack vectors, and thus is worth doing. Particularly security conscious users will still be able to do their own verification, or pay a redistributor to do additional verification on their behalf. (For example, I expect you would fail all the meaningful Common Criteria EAL certification levels if you blindly trusted PyPI). Cheers, Nick. > > > _______________________________________________ > Catalog-SIG mailing list > [email protected] > http://mail.python.org/mailman/listinfo/catalog-sig >
_______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
