> On Dec 30, 2014, at 9:29 PM, Richard Jones <[email protected]> wrote: > > Thanks for the clarification, guys. > > Donald, I'm not sure what you mean by "a compromise of the CDN for > *uploading*”.
PyPI trusts the CDN to give it the correct bits, without a signature from the author that is being verified uploading just relies on TLS again. The other PEP should close that gap though I believe. Note: I have yet to read these PEPs so I’m just going by a casual glance of them. --- Donald Stufft PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
_______________________________________________ Distutils-SIG maillist - [email protected] https://mail.python.org/mailman/listinfo/distutils-sig
