[prev in list] [next in list] [prev in thread] [next in thread]
List: python-catalog-sig
Subject: Re: [Catalog-sig] pre-PEP: transition to release-file hosting at pypi site
From: Robert Collins <robertc () robertcollins ! net>
Date: 2013-03-13 17:41:33
Message-ID: CAJ3HoZ2Ew-eRt0PzmisYjA1AsyABRwZYd4oZugERL5N4nnZSiA () mail ! gmail ! com
[Download RAW message or body]
On 14 March 2013 05:54, Tres Seaver <tseaver@palladion.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 03/12/2013 03:57 PM, holger krekel wrote:
>> Nobody should be lead to think that PYPI is a trusted or reviewed
>> source of software even if we got rid of external hosting completely.
>
> Amen. I still boggle at the amount of "sky is falling" stuff here over
> MITM / external links / whatever, given the potential damaage from
> explicitly malicious uploads (trojans, viruses, whatever). Package
> signing might help here, but only for consumers who willing to think hard
> enough about the problem to manage a web of trust (frankly, a vanishingly
> small minority).
Well yes HTTPS and external links are problems which it is necessary
to solve, and not sufficient to make 'pypi secure' - but that doesn't
mean we should do a poor job solving them.
-Rob
--
Robert Collins <rbtcollins@hp.com>
Distinguished Technologist
HP Cloud Services
_______________________________________________
Catalog-SIG mailing list
Catalog-SIG@python.org
http://mail.python.org/mailman/listinfo/catalog-sig
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic