On Mon, Aug 05, 2013 at 23:31 -0700, Noah Kantrowitz wrote: > On Aug 5, 2013, at 11:11 PM, Christian Theune <c...@gocept.com> wrote: > > > Two more things: > > > > why is the CDN not suffering from the security problems you describe for > > the mirrors? > > > > a) Fastly seems to be the one owning the certificate for pypi.python.org. > > What?!? > > They have a delegated SAN for it, which digicert (the CA) authorizes with the > domain contact (the board in this case). > > > b) What does stop Fastly from introducing incorrect/rogue code in package > > downloads? > > Basically this one boils down to personal trust from me to the Fastly team > combined with the other companies using them being very reputable. At the end > of the day, there is not currently any cryptographic mechanism preventing > Fastly from doing bad things.
The problem is not so much trusting individuals but that the companies in question are based in the US. If its government wants to temporarily serve backdoored packages to select regions, they could silently force Fastly to do it. I guess the only way around this is to work with pypi- and eventually author/maintainer-signatures and verification. best, holger _______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org http://mail.python.org/mailman/listinfo/distutils-sig