On Mon, Jul 26, 2010 at 7:21 AM, Tarek Ziadé <ziade.tarek at gmail.com> wrote: > On Mon, Jul 26, 2010 at 2:10 PM, geremy condra <debatem1 at gmail.com> wrote: >> On Mon, Jul 26, 2010 at 4:52 AM, Tarek Ziadé <ziade.tarek at gmail.com> wrote: >>> On Mon, Jul 26, 2010 at 1:20 PM, geremy condra <debatem1 at gmail.com> wrote: >>>> On Mon, Jul 26, 2010 at 4:02 AM, Tarek Ziadé <ziade.tarek at gmail.com> wrote: >>>>> On Sat, Jul 24, 2010 at 4:08 PM, Guido van Rossum <guido at python.org> wrote: >>>> >>>> <snip> >>>> >>>>>> Mirroring apparently also >>>>>> requires some client changes. >>>>> >>>>> Mirrors can be used as long as you manually point a mirror when using >>>>> them. We we are working on making the >>>>> switch automatic. >>>> >>>> I think we've talked briefly about this before, but let me reiterate >>>> that getting this right from a security point of view is quite a bit >>>> harder than it at first appears, and IMHO it is worth getting right. >>> >>> FWIW, Martin has added a section about mirror authenticity in the PEP: >>> >>> http://www.python.org/dev/peps/pep-0381/#mirror-authenticity >> >> This is more-or-less what was discussed earlier, and from what's >> described here I think the concerns I voiced stand. What's the right >> way to do disclosure on this sort of issue? > > I would recommend discussing it in Distutils-SIG and proposing a > change to that PEP. I've noticed that I don't have a lot of success in shifting this kind of debate, so I'm not sure it's a good idea to publicly discuss vulnerabilities in something that may wind up being implemented as-is, but it's up to you guys. Geremy Condra
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4