[Catalog-sig] [Draft] Package signing and verification process
Lennart Regebro
regebro at gmail.com
Wed Feb 6 21:55:55 CET 2013
On Wed, Feb 6, 2013 at 9:50 PM, <martin at v.loewis.de> wrote:
> There is surely an obvious delegation of trust happening here. If plone
> has 100 dependencies, it is really the authors of plone itself which
> declared that they trust these packages; the end user in turn trusts the
> plone developers (both in their own code, and in their dependencies).
>
> So it's really the plone "top level" package which needs to declare
> e.g. what PGP keys should have signed those dependencies.
>
> E.g. the Plone package (4.2) depends on 13 other packages. It's IMO
> not asked too much to have the author of this package
> (which happens to be "Plone Foundation") to declare what GPG key
> ought to sign each of these 13 dependencies, e.g. by including
> a key ring of trusted public keys for the dependencies.
Right, but then we are again back to trusting a central authority, in
this case plone.org. If we can trust plone.org, why can't we trust
Python.org?
My suggestion earlier was that whatever system we have will by default
trust python.org. Or heck, we can even let the tools ask if it should
trust python.org. And then things are good.
And if you for some reason don't trust python.org, then you have to
deal with your packages yourself.
//Lennart
More information about the Catalog-SIG
mailing list