[openstack-dev] [Horizon] the future of angularjs development in Horizon

Donald Stufft donald at stufft.io
Fri Nov 14 19:43:15 UTC 2014


> On Nov 14, 2014, at 2:39 PM, Jeremy Stanley <fungi at yuggoth.org> wrote:
> 
> On 2014-11-15 02:57:15 +0800 (+0800), Thomas Goirand wrote:
> [...]
>> Do you realize that with the TLS system, you have to trust every
>> and all CA, while with PGP, you only need to trust a single
>> fingerprint?
> [...]
> 
> Technically not true *if* the package retrieval tools implement
> certificate pinning rather than trusting any old CA (after all,
> they're not Web browsers, so they could in theory do that with
> minimal impact).
> 
> Too bad https://github.com/pypa/pip/issues/1168 hasn't gotten much
> traction.

Yea, primary reason that hasn’t been done is up until recently we (PyPI)
were relying on the TLS certificate provided by Fastly and they were
unwilling to make a promise to also be using a particular CA for the
next N years. We now have dedicated IP addresses with them so we can
provide them with whatever certificate we want, now it’s just a matter
of selecting CAs and the political process.

---
Donald Stufft
PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA




More information about the OpenStack-dev mailing list