On Aug 6, 2013, at 3:29 AM, mar...@v.loewis.de wrote: > > Quoting Donald Stufft <don...@stufft.io>: > >> Unless I'm forgetting something there's no real way to get the server key >> without going through Fastly > > You should have a copy of the server key upfront, on your disk. > > You can still get it directly from pypi with HTTP request to > pypi.into.python.org/serverkey. > >> and even if there was Fastly could just hijack >> an upload (and murder their entire business in the process). > > Couldn't you also use pypi.int.python.org for uploading? > > Regards, > Martin > >
pypi.int.python.org is not a public name and has no promise on existing tomorrow. Even if it was it's HTTP only and thus now you have an attacker who can substitute his own key for the server key and his own serversig for packages downloaded over HTTP from a mirror. The same thing applies to uploading, so you remove the possibility of Fastly attacking you and open up the much wider chance that a MITM would attack you. ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org http://mail.python.org/mailman/listinfo/distutils-sig