On Friday, Oct 3, 2003, at 18:32 America/New_York, Jack Jansen wrote: > > On 3-okt-03, at 23:21, Glenn Andreas wrote: >> I'm clearly missing something here, because if we have the databases >> come from a trusted source (python.org) using SSL, > > This is what you're missing: we cannot use SSL to transfer the > database, because > core Python has no SSL support. > > We expect the end user to trust a number of entities (because a hole > in any > of these would make the whole excercise pointless): > 1. Apple, anyone with admin access to their machine, and all the other > parties involved with local infrastructure. > 2. The Python maintainers. > 3. The installed Python distribution, including PackMan (either because > it was Apple-provided, or because people checked the signature on > the > website download page). > 4. The scapegoat. > 5. Anyone the scapegoat trusts wrt. web distribution (their webhoster, > the > key-signing Trusted Third Party). When using PGP or something like it to sign the package list, #5 can be eliminated, because the scapegoat is the key signing entity and the web hoster does not have the private key. -bob
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4