Am 16.07.2013 12:21, schrieb Jannis Leidel: > On 16.07.2013, at 11:19, holger krekel <hol...@merlinux.eu> wrote: > >> Any thoughts or pointers to existing efforts within the (Python) >> packaging ecologies? > > Erik Rose just released peep the other day [1], which admittedly doesn't use > gpg but at least allows pip users to simplify the manual vetting process.
Peep is a bit scary because the author doesn't have much confidence in his own crypto fu: "Proof of concept. Does all the crypto stuff. Should be secure." Peep doesn't protect you from at least on DoS attack scenario. The tool does neither verify nor limit the size of a downloaded file. In theory an active attacker could make you download an arbitrarily large file in order to clog your network pipes. Eventually your machine runs out of disk space, too. I'd feel much better if such a tool would verify both hashsum and file size. Christian _______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org http://mail.python.org/mailman/listinfo/distutils-sig