signing conda packages

David Froger

unread,

Sep 25, 2015, 5:10:32 AM9/25/15

to co...@continuum.io

Hello,

I would like to ask 2 questions about signing conda packages:
http://conda.pydata.org/docs/signed-packages.html

0- When installing a package from the official conda repositories, is there a
signature verification? I mean, are the official conda repositories vulnerable
to "man in the middle attack"?

1- Does http://anaconda.org support signed package? How to upload the
.tar.bz2.sig file?

Thanks,
David

Note: Another discussion thread about signing package:
https://github.com/conda/conda/issues/1395

Ilan Schnell

unread,

Sep 25, 2015, 11:25:43 AM9/25/15

to David Froger, conda

Hello David,

0) The packages on repo.continuum.io are not signed. However, since they are served using https, they are not vulnerable to "man in the middle attacks". The conda package signing offers an additional layer of security for people who want to distribute their own packages over insecure channels.

1) anaconda.org does not offer the ability to upload .tar.bz2.sig files (yet)

- Ilan

--
You received this message because you are subscribed to the Google Groups "conda - Public" group.
To unsubscribe from this group and stop receiving emails from it, send an email to conda+un...@continuum.io.
To post to this group, send email to co...@continuum.io.
Visit this group at http://groups.google.com/a/continuum.io/group/conda/.

David Froger

unread,

Oct 1, 2015, 4:46:09 AM10/1/15

to Ilan Schnell, conda

Hello Ilan,

Ok! Thanks for the explanations!

David

Quoting Ilan Schnell (2015-09-25 17:25:42)

Reply all

Reply to author

Forward