[Catalog-sig] [Draft] Package signing and verification process
Daniel Holth
dholth at gmail.com
Thu Feb 7 00:37:24 CET 2013
In this scheme Plone would publish all the public keys for all its
dependencies as tested. They already pin pretty much all their
dependencies. Each pinned version would have a key fingerprint added to
that line in the file.
Whether pgp or x509 or something else is used doesn't matter that much. The
overall system design is more important.
Detecting tampering is as interesting to me as absolute security. For
example guardtime provides keyless signatures that assert a timestamp.
On Feb 6, 2013 4:45 PM, "Vinay Sajip" <vinay_sajip at yahoo.co.uk> wrote:
> Daniel Holth <dholth <at> gmail.com> writes:
>
> > That is why the original wheel signing design uses no GPG, a system that
> has
> > proven to be unused in practice.
>
> It's not like there's some other PKI system which is so much easier to use
> that
> it's a no-brainer, such that it has widespread adoption with the type of
> user
> that Donald was talking about.
>
> A lot of it is that people are very happy to trade security for
> convenience,
> and you can't really have additional security with *no* loss of convenience
> (though that loss may be small). Why, most of us can't even be bothered to
> read
> on-line license terms and conditions, preferring to click the "I Agree"
> button
> as soon as it appears!
>
> In the Windows world, people are used to being prompted to accept a program
> publisher's identity verified by a code-signing certificate, just like an
> SSL
> certificate. Of course, you can have signed malware, as is in the news this
> week.
>
> With Python packages, you can't easily just trust one publisher, because
> of all
> the recursive dependencies a package pulls in. It's mostly a blessing, but
> not
> in this regard.
>
> Regards,
>
> Vinay Sajip
>
> _______________________________________________
> Catalog-SIG mailing list
> Catalog-SIG at python.org
> http://mail.python.org/mailman/listinfo/catalog-sig
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130206/72cf9b48/attachment-0001.html>
More information about the Catalog-SIG
mailing list