The critical path on the current system is "you request the package index or package file itself from https://pypi.python.org and assert that it is correct because the certificate verifies". In the proposed system the critical path is "you request the trust file from https://pypi.python.org and assert that it is correct because the certificate verifies". As you might note, these are functionally equivalent. If you can break one, you can break the other.
--Noah On Jul 28, 2014, at 12:26 PM, Paul Moore <p.f.mo...@gmail.com> wrote: > On 28 July 2014 20:19, Noah Kantrowitz <n...@coderanger.net> wrote: >> To be clear, this adds literally no security. > > Really? For my education, could you clarify? Is this because we can > assume (with https) that every step between the developer uploading to > PyPI and the user downloading to his local PC is secured? > > Paul
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
