[Twisted-Python] ANN: pythonpackages.com beta

Eric P. Mangold eric at teratorn.org
Mon Jul 30 14:49:04 MDT 2012


On Mon, Jul 30, 2012 at 12:49:56PM -0400, Alex Clark wrote:
> Hi,
> 
> 
> On 7/30/12 12:31 PM, Eric P. Mangold wrote:
> > Alex,
> >
> > I'm not sure if this is borderline off-topic, or not... but anyway..
> >
> > I'm sure starting a discussion here IS offtopic.
> >
> > But I have one question:
> >
> > How do package authors verify the integrity of their packages built "through the web"?
> 
> 
> Good question, I just created:
> 
> - 
> http://docs.pythonpackages.com/en/latest/faq.html#how-do-package-authors-verify-the-integrity-of-packages-built-through-the-web

Let me be clear:

Is it possible to have any assurance that your system has faithfully built the package, and/or that your servers have not been compromised?

Why would anyone trust your web service to build packages, when it is *their* pgp, reputation and users that are at stake?
(Yes, I would ask Launchpad/Canonical, et. all the same question...)

(Also, if you're suggesting MD5 (following your link..) for anything related to security or data authenticity, then I *know* you're way off base.......)

Sorry if this is harsh - but it's intended. Without any kind of verifiable guarantee (get to work on that! :)) I don't think I could ever possibly use such a thing, and would advise against it.

Getting software to end-users is a tough challenge, and I applaude your efforts to try and make it easier. A system with a single point of failure and a single point of trust just isn't feasible or desirable, imho. Administrators need to know who has final responsibility and *authority* over the software that they are consuming. If "the cloud" is the last link in that chain, then you have a big problem, I think.

Have a nice day,
-E

P.S. Im open to sugguestions for moving this thread (where?), as I don't believe it belongs on this list.




More information about the Twisted-Python mailing list