[Distutils] Sooner or later, we're going to have to be more formal about how we name packages.
Trishank Karthik Kuppusamy
tk47 at students.poly.edu
Sun Jun 2 15:52:40 CEST 2013
On 6/2/13 9:01 AM, Nick Coghlan wrote:
> On Sun, Jun 2, 2013 at 10:09 PM, Donald Stufft <donald at stufft.io> wrote:
>> If we deploy some sort of end to end signing I think TUF is a good
>> implementation of it.
>>
>> I'm not sold on the possibility of reasonably doing end to end signing here
>> though.
>
> I think in the long run it's a technology we want to offer, but even
> with it deployed PyPI would continue to act as a trusted intermediary
> in most cases. Effective key management is such a PITA that only a few
> larger projects would be in a real position to take direct advantage
> of end-to-end signing - for the remaining projects, trusting PyPI not
> to get compromised is already the status quo.
>
Yes, key management could be a real PITA if we do not consider
usability. In our design proposal, we talked about how to try to
maximize usability and security, by keeping the truly critical keys
offline (which would be used rarely), and the not-so-critical keys
online (which means that automation can easily use them).
We will be working on TUF and PyPI full-time this summer. As I write
this, we are introducing additional security mechanisms for some cases
which arise frequently; e.g. how do we tell TUF to put more trust in
packages from a stable-release role versus a bleeding-edge role?
More information about the Distutils-SIG
mailing list