distribute_setup.py should be signed by a trusted party, and/or served over HTTPS
The following blog post:
invites users to install distribute via the following steps:
$ curl -O http://python-distribute.org/distribute_setup.py $ less distribute_setup.py # (*) $ sudo /opt/Python2.7.4-32bits/bin/python2.7 distribute_setup.py
This suffers from the shortcomings mentioned in issue #354. I tried using HTTPS instead:
$ curl -O https://python-distribute.org/distribute_setup.py
but that results in a cryptic error instead of a successful download.
There is currently no way for a user to assess that the code she is about to execute has not been modified by a third party.
Could you either:
distribute_setup.pyaccessible via HTTPS on a trusted website, and update the recommended instructions;
Put a page up at e.g.
http://python-distribute.org/index.htmlcontaining signatures next to the download link, as is being done for each Python release (e.g. http://www.python.org/getit/releases/3.3.1/).
(Feel free to merge with #354, but I'm opening this one as a critical bug to make sure it does not go unnoticed.)