Nick Coghlan: > It would be trusting the integrity of PyPI for the software itself, > and the CA system to know that it's actually talking to PyPI. Far from > ideal, but we don't have a viable end-to-end signing system yet > (mostly due to the associated key management and update/revocation > problems).
So retrieving pip is over https and the cert is validated? That's a satisfactory answer, certainly. > Given that the trust model for the installer itself is usually "I > downloaded it from python.org", the risk isn't actually increased all > that much. I'd worry about any increase in risk. If the target becomes big enough, malware may start targeting Python auto-install mechanisms, even if it doesn't today. The python.org installers are PGP signed, by the way. Maybe you meant the installers retrievable through PyPI? regards, Anders _______________________________________________ Distutils-SIG maillist - [email protected] https://mail.python.org/mailman/listinfo/distutils-sig
