On July 28, 2014 at 4:26:42 PM, Donald Stufft (don...@stufft.io) wrote: > On July 28, 2014 at 1:42:54 PM, Giovanni Bajo (ra...@develer.com) wrote: > > > > I thus solicit a second round of review of my proposal; if you want me to > > upload to Google > > Docs for easier of commenting, I can do that as well. I would love to get > > the PEP to its final > > form and then ask for a pronouncement. > > >
Oh, I forgot to mention also about the package signing... Actually *discovering* the packages which are to be installed is still completely dependent on the security of TLS. This means if the TLS connection was compromised then someone could trick people into being insecure by presenting them a list of packages which is not complete and which only show older, insecure ones that are missing important security updates thus tricking someone into installing known vulnerable software. -- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA _______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
