[Distutils] PGP keys required? (Re: PEP 243)

[Keith Jackson]

On Feb 3, 2004, at 2:01 AM, M.-A. Lemburg wrote:

> Perhaps distutils should simply start to add MD5 or SHA hash
> sums of the created archives to the meta-data which gets uploaded
> to e.g. PyPI. That way, the user can easily see whether a mirror
> has the correct packages or not. Better than nothing, I'd say,
> and easy to implement even without having to go through all the
> PKI stuff :-)


I'm all in favor of associating hashes with all packages that get 
uploaded. My real question is how do we prevent a black hat from 
uploading a new version of M2Crypto, or PyOpenSSL that has been 
trojaned. As long as they changed the hash values, and I haven't cached 
them locally, I'd have no way of knowing. I can point to real examples 
of this happening in the open-source world.

It would be fine with me if we could come up with a scheme where only 
package authors and the PyPI people need to deal with PKI. As part of 
the upload I could sign a copy of the SHA1 hash value for the package. 
This could be a detached PGP sig, an S/MIME sig, I don't care, although 
I think PGP would probably be best for our community. The PyPI could 
have a key, and then do signing BoF's at OSCON and PyCon, etc.

I don't think this should be mandatory today, but I would hate to see 
us design a system that wouldn't support rudimentary security. I think 
we do it so only the hashes are used for now by actual users. That way 
we avoid any export laws and other such nonsense. All the PGP stuff 
could be done at the cli, or as part of the auto submission process.
--keith