Merge "Document shortcomings of pypi-openstack element"

2014-02-04 08:15:01 +00:00 · 2014-02-04 08:15:01 +00:00 · 8b9e3f5d0a
commit 8b9e3f5d0a
parent bacd855508 6ac6906d6d
1 changed files with 9 additions and 0 deletions
--- a/elements/pypi-openstack/README.md
+++ b/elements/pypi-openstack/README.md
@ -6,3 +6,12 @@ http://pypi.openstack.org.

 By policy all tests in the OpenStack CI/CD environment need to use just the
 OpenStack PyPI mirror and thus should include this element.
+
+Note that when building images with this element, pip uses HTTP, and the
+OpenStack mirror does not provide a way to verify the contents of the
+downloaded packages, and thus is vulnerable to a man-in-the-middle attack.
+
+In order to have a secure local mirror which is built in the same way
+pypi-openstack is, see the diskimage-builder element 'pypi'. If you would
+like to build an image which hosts such a mirror, see the pypi-mirror
+element.