On 12/13/10 8:25 AM, Paul Sargent wrote:
How about, as a cheep and cheerful method to get up running. If the premise is that the original server is trustworthy and the mirrors aren't, then:
1) Hash all packages on the original server. 2) Hash goes into a side car file (e.g.<packagename>.sha) that lives next to the package
I still contend that we shouldn't have to trust the central server either. The hash can be created alongside the sdist on the maintainer's computer, and then both are uploaded to central. Thus, the maintainer can verify that the hash on central matches their own, which ensures that: (a) the hash that central has is trustworthy (b) no man-in-the-middle corrupted the sending of the hash to central These concerns are separate from using the hash to confirm the consistency of the sdist itself. Remember: metadata can be compromised just as easily as data. And the fewer machines we have to trust, the better. Moreover, this approach requires the same amount of implementation work as getting central to make the hashes. -- Live well, ~wren