On Sep 3, 2013, at 8:47 AM, Nick Coghlan <ncogh...@gmail.com> wrote:
> On 3 September 2013 22:33, Anders J. Munch <a...@flonidan.dk> wrote: >> Donald Stufft >>> It also proposes that >>> the distributions of Python available via Python.org will automatically run >>> this explicit bootstrapping method and a recommendation to third party >>> redistributors of Python to also provide pip by default (in a way >>> reasonable for their distributions). >> >> Before getpip executes code it just downloaded from the 'net, how is >> it validated? Would getpip contain the public keys of select >> maintainers to verify the download? > > It would be trusting the integrity of PyPI for the software itself, > and the CA system to know that it's actually talking to PyPI. Far from > ideal, but we don't have a viable end-to-end signing system yet > (mostly due to the associated key management and update/revocation > problems). > > Given that the trust model for the installer itself is usually "I > downloaded it from python.org", the risk isn't actually increased all > that much. > > Cheers, > Nick. > > -- > Nick Coghlan | ncogh...@gmail.com | Brisbane, Australia On top of that it would gain improvements as pip itself gains improvements in this area. ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig