The critical path on the current system is "you request the package index or package file itself from https://pypi.python.org and assert that it is correct because the certificate verifies". In the proposed system the critical path is "you request the trust file from https://pypi.python.org and assert that it is correct because the certificate verifies". As you might note, these are functionally equivalent. If you can break one, you can break the other.
--Noah On Jul 28, 2014, at 12:26 PM, Paul Moore <[email protected]> wrote: > On 28 July 2014 20:19, Noah Kantrowitz <[email protected]> wrote: >> To be clear, this adds literally no security. > > Really? For my education, could you clarify? Is this because we can > assume (with https) that every step between the developer uploading to > PyPI and the user downloading to his local PC is secured? > > Paul
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Distutils-SIG maillist - [email protected] https://mail.python.org/mailman/listinfo/distutils-sig
