On Mon, Jul 30, 2012 at 12:49:56PM -0400, Alex Clark wrote: > Hi, > > > On 7/30/12 12:31 PM, Eric P. Mangold wrote: > > Alex, > > > > I'm not sure if this is borderline off-topic, or not... but anyway.. > > > > I'm sure starting a discussion here IS offtopic. > > > > But I have one question: > > > > How do package authors verify the integrity of their packages built > > "through the web"? > > > Good question, I just created: > > - > http://docs.pythonpackages.com/en/latest/faq.html#how-do-package-authors-verify-the-integrity-of-packages-built-through-the-web
Let me be clear: Is it possible to have any assurance that your system has faithfully built the package, and/or that your servers have not been compromised? Why would anyone trust your web service to build packages, when it is *their* pgp, reputation and users that are at stake? (Yes, I would ask Launchpad/Canonical, et. all the same question...) (Also, if you're suggesting MD5 (following your link..) for anything related to security or data authenticity, then I *know* you're way off base.......) Sorry if this is harsh - but it's intended. Without any kind of verifiable guarantee (get to work on that! :)) I don't think I could ever possibly use such a thing, and would advise against it. Getting software to end-users is a tough challenge, and I applaude your efforts to try and make it easier. A system with a single point of failure and a single point of trust just isn't feasible or desirable, imho. Administrators need to know who has final responsibility and *authority* over the software that they are consuming. If "the cloud" is the last link in that chain, then you have a big problem, I think. Have a nice day, -E P.S. Im open to sugguestions for moving this thread (where?), as I don't believe it belongs on this list. _______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
