[Python-Dev] Signed packages
martin at v.loewis.de
martin at v.loewis.de
Fri Jun 22 17:24:43 CEST 2012
Zitat von Antoine Pitrou <solipsis at pitrou.net>:
> On Fri, 22 Jun 2012 12:27:19 +0100
> Paul Moore <p.f.moore at gmail.com> wrote:
>>
>> Signed binaries may be a solution. My experience with signed binaries
>> has not been exactly positive, but it's an option. Presumably PyPI
>> would be the trusted authority? Would PyPI and the downloaders need to
>> use SSL? Would developers need to have signing keys to use PyPI? And
>> more to the point, do the people designing the packaging solutions
>> have experience with this sort of stuff (I sure don't :-))?
>
> The ones signing the binaries would have to be the packagers, not PyPI.
It depends. PyPI already signs all binaries (essentially) as part of the
mirror protocol. What this proves is that the mirror has not modified
the data compared to the copy of PyPI. If PyPI can be trusted not to modify
the binaries, then this also proves that the binaries are the same as
originally uploaded.
What this doesn't prove is that the upload was really made by the declared
author of the package (which could be prevented by signing the packages
by the original author); it also doesn't prove that the binaries are free
of malicous code (which no amount of signing can prove).
> PyPI-signing of packages would not achieve anything, since PyPI cannot
> vouch for the quality and non-maliciousness of uploaded files.
That's just not true. It can prove that the files have not been modified
by mirrors, caches, and the like, of which there are plenty in practice.
> It would only serve as a replacement for SSL downloads.
See above. Also notice that such signing is already implemented, as part
of PEP 381.
Regards,
Martin
More information about the Python-Dev
mailing list