[Catalog-sig] [Draft] Package signing and verification process
Zygmunt Krynicki
zygmunt.krynicki at canonical.com
Wed Feb 6 21:57:51 CET 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
W dniu 06.02.2013 21:55, Lennart Regebro pisze:
> On Wed, Feb 6, 2013 at 9:50 PM, <martin at v.loewis.de> wrote:
>> There is surely an obvious delegation of trust happening here. If
>> plone has 100 dependencies, it is really the authors of plone
>> itself which declared that they trust these packages; the end
>> user in turn trusts the plone developers (both in their own code,
>> and in their dependencies).
>>
>> So it's really the plone "top level" package which needs to
>> declare e.g. what PGP keys should have signed those
>> dependencies.
>>
>> E.g. the Plone package (4.2) depends on 13 other packages. It's
>> IMO not asked too much to have the author of this package (which
>> happens to be "Plone Foundation") to declare what GPG key ought
>> to sign each of these 13 dependencies, e.g. by including a key
>> ring of trusted public keys for the dependencies.
>
> Right, but then we are again back to trusting a central authority,
> in this case plone.org. If we can trust plone.org, why can't we
> trust Python.org?
Because presumably plone foundation looks at the dependency list and
cares. Nobody here suggested that PSF should actively check what is
being uploaded to pypi.
Thanks
ZK
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBAgAGBQJREsPMAAoJECiU6TooxntHPuAQAKlD6HzqsnsyPQ/QxXqFVUfX
xa+lsO53IRCuN4Lk0C+UP9Uv/yuznM/86/p7Si86dbZwsgQJf1en6oadCU+OFkRK
ibV1DBVrongzVBNncrlhPY4rV58bkadk+16HXsGJfZu7BH0pLVzsMtJ+B2kU1rmd
AX2je5lSAnJS6nPkaLNwjFx5TXa7ygvXXH6pu5LWpoyiLdNivtHCwy5cfVhfO+xB
1yfYddtLVnxZVtuWmkiKesHRWABrc6XUJqPgd9l9LmDx5GhJlkgL5fdziIE5Mxyo
YDzetkIoc0UyZJad0RGUco8RpOOarlmXETPlxHE6omZ/GQMgDUOM8AhXNOdCB1Wh
BtBNZoyRFquadPjpLmD381Yiou6TUwULIXSQiwv+Lf0qMQ1TX7FuMK8yQv0zl275
eIvHB5DoJ0BHxeYUGxAg4yBtiM+9MsRp9gwdxoTUBkqlgbVaIS8k0HAqTeiTJj3I
QlNE2y4h/c3EfKqEDYn9DArgPYLgNyX+g/0mqzW4eiU/fWsJ8NJFbCQYNyNxdV4p
xvOz/umeg88bKW4XE2dYx5UVb6IMLLC5CDOKmNKj1Wl2g+4nJAajM+qCovxPf+aM
367Xr6EaMDMVG9+d5o+AVIW2ylRaMY4DJsZbJh2HjAdNhlxhj81JT6SMB2ChbHCk
GKcyAN/wTXGyaWeTbXVF
=fXMn
-----END PGP SIGNATURE-----
More information about the Catalog-SIG
mailing list