[Catalog-sig] Including GnuPG with packaging tools

Nick Coghlan ncoghlan at gmail.com
Sun Feb 10 23:37:11 CET 2013 

On 11 Feb 2013 03:54, "Donald Stufft" <donald.stufft at gmail.com> wrote:
>
> On Sunday, February 10, 2013 at 12:53 PM, Giovanni Bajo wrote:
>>
>> Il giorno 10/feb/2013, alle ore 18:08, Antoine Pitrou <
solipsis at pitrou.net> ha scritto:
>>
>>>
>>> Hello,
>>>
>>> Vinay Sajip <vinay_sajip <at> yahoo.co.uk> writes:
>>>>
>>>>
>>>> I've contacted the FSF about the licensing implications of including
gpg with
>>>> Python programs. This is primarily for Windows - Posix users are
better off
>>>> installing through their distro package manager or equivalent of the
>>>> Homebrew/MacPorts type, if necessary.
>>>
>>>
>>> You want to post this on python-dev, not catalog-sig.
>>>
>>> Also, before inquiring about legal matters, it should first be decided
>>> whether it is desirable to ship our version of GnuPG, or not.
>>> (unless there has already been a thread about this and I've missed it
:-))
>>
>>
>>
>> There is an open discussion whether to use TUF or GPG. If we go with
GPG, then we wlll discuss what to do, given that:
>>
>> 1) for users, the problem is not on python-dev, but rather on the
maintainers of package managers (pip, easy_install) that need to decide how
to ship/install GPG to verify signatures.
>> 2) for maintainers, I don't see a strong need to ship it with distutils
within Python, as long as we have clear documentation on how to install it.
But this is open for discussion of course.
>>
> I didn't see TUF mention anywhere what technology would be used to sign
its
> files. So it's possible to use GPG (or possibly another one?)

It specifically mentions PKCS#1, but the scheme seemed flexible enough to
accommodate the use of GPG instead.

There are more significant differences in the trust model between TUF and
Giovanni's design, though. The generality of TUF makes it more complex in
some regards, since it delegates trust for specific relative target paths
within the repo, whereas Giovanni's model just delegates trust for
distributions. However, TUF also already accounts for several additional
attack vectors (like deliberately providing old versions).

Cheers,
Nick.

>
>
> _______________________________________________
> Catalog-SIG mailing list
> Catalog-SIG at python.org
> http://mail.python.org/mailman/listinfo/catalog-sig
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130211/34105d1c/attachment.html>

More information about the Catalog-SIG mailing list