On Mon, Jul 26, 2010 at 2:10 PM, geremy condra <[email protected]> wrote: > On Mon, Jul 26, 2010 at 4:52 AM, Tarek Ziadé <[email protected]> wrote: >> On Mon, Jul 26, 2010 at 1:20 PM, geremy condra <[email protected]> wrote: >>> On Mon, Jul 26, 2010 at 4:02 AM, Tarek Ziadé <[email protected]> wrote: >>>> On Sat, Jul 24, 2010 at 4:08 PM, Guido van Rossum <[email protected]> wrote: >>> >>> <snip> >>> >>>>> Mirroring apparently also >>>>> requires some client changes. >>>> >>>> Mirrors can be used as long as you manually point a mirror when using >>>> them. We we are working on making the >>>> switch automatic. >>> >>> I think we've talked briefly about this before, but let me reiterate >>> that getting this right from a security point of view is quite a bit >>> harder than it at first appears, and IMHO it is worth getting right. >> >> FWIW, Martin has added a section about mirror authenticity in the PEP: >> >> http://www.python.org/dev/peps/pep-0381/#mirror-authenticity > > This is more-or-less what was discussed earlier, and from what's > described here I think the concerns I voiced stand. What's the right > way to do disclosure on this sort of issue?
I would recommend discussing it in Distutils-SIG and proposing a change to that PEP. Notice that this PEP is not accepted yet. I am not sure what would be the best moment to have it accepted. I guess once we have experimented enough on the client side. Tarek -- Tarek Ziadé | http://ziade.org _______________________________________________ Python-Dev mailing list [email protected] http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
