-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/13/2013 01:06 PM, Donald Stufft wrote: > Really now? Let's see I can easily protect against malicous uploads > by only installing from trusted authors
How do you know who to trust? What if an author you trust adds a dependency to a package to an author you have no konwledege of, or one you actively distrust? What if an author you trust commits one of the other changes I outlined (removes a release / distribution, makes backward-incompatible changes, re-uploads a changed distribution over an existing one?) The only way to implement "only install from trusted authors" is to run your own index, and explicitly review / curate the package set maintained there. In that scenario, you run a script from time to time which looks for new versions of your packages on PyPI and puts them into a queue for review. Bob, a casual reviewer, might install the new verison from PyPI into a fresh virtualenv and test it there before pushing it into the curated index. Carol, more pranoid^Wsecurity mindex, downloads the package, verifies its signature, unpacks the tarball, diffs it against the curated version, compares that diff against the changelog, looks at new / changed dependencies, and installs it into a hardened sandbox for testing. Only after that kind of review does she push the newly-reviewed distribution into the curated index. Adding an entirely new package to the curated index is a similar process, but requires more effort from either Bob or Carol. Tres. - -- =================================================================== Tres Seaver +1 540-429-0999 tsea...@palladion.com Palladion Software "Excellence by Design" http://palladion.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlFAtakACgkQ+gerLs4ltQ5O4wCcC92ew66wVGEPBM/Jr8z1bYU8 e9AAoNXmaiuBHQOIFQlT0SRemI43hoG7 =idDp -----END PGP SIGNATURE----- _______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
