[openstack-dev] [Horizon] the future of angularjs development in Horizon
Donald Stufft
donald at stufft.io
Fri Nov 14 19:43:15 UTC 2014
> On Nov 14, 2014, at 2:39 PM, Jeremy Stanley <fungi at yuggoth.org> wrote:
>
> On 2014-11-15 02:57:15 +0800 (+0800), Thomas Goirand wrote:
> [...]
>> Do you realize that with the TLS system, you have to trust every
>> and all CA, while with PGP, you only need to trust a single
>> fingerprint?
> [...]
>
> Technically not true *if* the package retrieval tools implement
> certificate pinning rather than trusting any old CA (after all,
> they're not Web browsers, so they could in theory do that with
> minimal impact).
>
> Too bad https://github.com/pypa/pip/issues/1168 hasn't gotten much
> traction.
Yea, primary reason that hasn’t been done is up until recently we (PyPI)
were relying on the TLS certificate provided by Fastly and they were
unwilling to make a promise to also be using a particular CA for the
next N years. We now have dedicated IP addresses with them so we can
provide them with whatever certificate we want, now it’s just a matter
of selecting CAs and the political process.
---
Donald Stufft
PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
More information about the OpenStack-dev
mailing list