[Catalog-sig] [Draft] Package signing and verification process
M.-A. Lemburg
mal at egenix.com
Thu Feb 7 15:35:15 CET 2013
On 07.02.2013 15:13, Giovanni Bajo wrote:
> Il giorno 07/feb/2013, alle ore 12:55, "M.-A. Lemburg" <mal at egenix.com> ha scritto:
>>> Can you please describe an attack that can be mounted against PyPI/pip that is prevented by having this additional signature?
>>
>> This is not about preventing some kind of attack. It's to simplify
>> the setup for the user of PyPI (via the package manager).
>>
>> The user will no longer have to install several tens or even
>> hundreds of different uploader GPG keys locally just to be able
>> to verify the downloads. Instead, just the PyPI key is needed.
>>
>> I think that's important to not disrupt the PyPI user experience.
>>
>> Additionally, as already mentioned by Lennart, all the GPG interaction
>> could be handled by the package managers.
>
>
> Yes, but *all* of the above requirements can be obtained by simply having PyPI tell pip "key ABCD1234 is authoritative for package django". pip can then tell GPG to go getting the key automatically from a first-party or third-party keyserver (eg: launchpad).
>
> I'm absolutely *not* suggesting the user to go downloading tons of GPG keys manually.
I don't think anyone would want to have pip installing hundreds
of PyPI uploader GPG keys locally, even less so, if just one is
enough :-)
I, for one, certainly wouldn't want to have my keyring cluttered up
with all those GPG keys, or managing the trust state of all those
keys to prevent GPG warnings such as:
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Having PyPI sign the file would also provide a possibility to keep files,
for which the uploader key was later revoked or which expired,
in a verifiable state.
> I will draft an updated document, based on Heimes' proposal, so that we can all synchronize.
Ok.
--
Marc-Andre Lemburg
eGenix.com
Professional Python Services directly from the Source (#1, Feb 07 2013)
>>> Python Projects, Consulting and Support ... http://www.egenix.com/
>>> mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
________________________________________________________________________
::::: Try our mxODBC.Connect Python Database Interface for free ! ::::::
eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
Registered at Amtsgericht Duesseldorf: HRB 46611
http://www.egenix.com/company/contact/
More information about the Catalog-SIG
mailing list