Secure update mechanism

[rlee287]

Feature Request

Description of feature:

• [x] 1. Pyautoupdate needs some mechanism for securing the downloading of files from the internet.
• [ ] 2. Symlink and duplicate file checks are needed to detect duplicate files and handle symlinks properly.

Rationale for feature:

1. Without any kind of securing, a MITM attack could easily inject malicious code into an update.
2. Duplicate files may cause problems and unpredictability. Moreover, symlink attacks could potentially be used to overwrite critical system files.

Possible implementation:

1. requests can already handle HTTPS properly. This could be mandated. In addition, protocols such as SFTP or SSH could also be used.
2. Duplicates can be checked for and removed during replacing process (emitting warnings as well)

[rlee287]

Turning into general checklist for securing the update chain.

[rlee287]

For point 1:

• [x] Disallow HTTP, allow only HTTPS
• [ ] Possibly allow SFTP or other secure protocls
• [ ] Use pycrypto to support code signatures (verify identity while secure transfer can only verify integrity?)