On 3 September 2013 22:33, Anders J. Munch <[email protected]> wrote: > Donald Stufft >>It also proposes that >> the distributions of Python available via Python.org will automatically run >> this explicit bootstrapping method and a recommendation to third party >> redistributors of Python to also provide pip by default (in a way >> reasonable for their distributions). > > Before getpip executes code it just downloaded from the 'net, how is > it validated? Would getpip contain the public keys of select > maintainers to verify the download?
It would be trusting the integrity of PyPI for the software itself, and the CA system to know that it's actually talking to PyPI. Far from ideal, but we don't have a viable end-to-end signing system yet (mostly due to the associated key management and update/revocation problems). Given that the trust model for the installer itself is usually "I downloaded it from python.org", the risk isn't actually increased all that much. Cheers, Nick. -- Nick Coghlan | [email protected] | Brisbane, Australia _______________________________________________ Distutils-SIG maillist - [email protected] https://mail.python.org/mailman/listinfo/distutils-sig
