On Aug 6, 2013, at 3:03 AM, mar...@v.loewis.de wrote: > > Quoting holger krekel <hol...@merlinux.eu>: > >> The problem is not so much trusting individuals but that the companies >> in question are based in the US. If its government wants to temporarily >> serve backdoored packages to select regions, they could silently force Fastly >> to do it. I guess the only way around this is to work with pypi- and >> eventually author/maintainer-signatures and verification. > > Both are actually in place, just not widely used. Each simple page gets > a pypi signature, in /serversig, which would allow to validate that a > mirror or the CDN has the copy that is also on the master.
Unless I'm forgetting something there's no real way to get the server key without going through Fastly, and even if there was Fastly could just hijack an upload (and murder their entire business in the process). > > Regards, > Martin > > > _______________________________________________ > Distutils-SIG maillist - Distutils-SIG@python.org > http://mail.python.org/mailman/listinfo/distutils-sig ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org http://mail.python.org/mailman/listinfo/distutils-sig