[Twisted-Python] ANN: pythonpackages.com beta
Eric P. Mangold
eric at teratorn.org
Mon Jul 30 16:49:04 EDT 2012
On Mon, Jul 30, 2012 at 12:49:56PM -0400, Alex Clark wrote:
> On 7/30/12 12:31 PM, Eric P. Mangold wrote:
> > Alex,
> > I'm not sure if this is borderline off-topic, or not... but anyway..
> > I'm sure starting a discussion here IS offtopic.
> > But I have one question:
> > How do package authors verify the integrity of their packages built "through the web"?
> Good question, I just created:
Let me be clear:
Is it possible to have any assurance that your system has faithfully built the package, and/or that your servers have not been compromised?
Why would anyone trust your web service to build packages, when it is *their* pgp, reputation and users that are at stake?
(Yes, I would ask Launchpad/Canonical, et. all the same question...)
(Also, if you're suggesting MD5 (following your link..) for anything related to security or data authenticity, then I *know* you're way off base.......)
Sorry if this is harsh - but it's intended. Without any kind of verifiable guarantee (get to work on that! :)) I don't think I could ever possibly use such a thing, and would advise against it.
Getting software to end-users is a tough challenge, and I applaude your efforts to try and make it easier. A system with a single point of failure and a single point of trust just isn't feasible or desirable, imho. Administrators need to know who has final responsibility and *authority* over the software that they are consuming. If "the cloud" is the last link in that chain, then you have a big problem, I think.
Have a nice day,
P.S. Im open to sugguestions for moving this thread (where?), as I don't believe it belongs on this list.
More information about the Twisted-Python