[Distutils] PyPI and GPG Signatures

[Barry Warsaw]

On May 12, 2016, at 04:34 PM, Donald Stufft wrote:

>So my response to this is, let's pretend for a minute that we have the
>greatest and most amazing setup for verifying that the key 0x6E3CBCE93372DCFA
>belongs to me. What's your next step? How do you verify that I'm allowed to
>release for pip?

I'd hope that the project home page would say that.  I sheepishly admit that
we don't have that information on the Mailman home page, but you *could*
follow the link from me (described as the lead developer) to my own home page
and then grab the key from there, verified from keybase.io.

>What happens if tomorrow I decide I'm no longer going to use key
>0x6E3CBCE93372DCFA because it got compromised (remembering that key
>revocation is hilariously broken [1]).  What if we add a new signing key
>because I'm tired of releasing pip and someone else is going to take over,
>what path is Debian going to take for verifying that some new key is allowed
>to sign for it that doesn't put "Whatever PyPI says" in the path of trust?

uscan would complain and then I'd have to try to figure out the new signing
credentials.

It's not wonderful, but for platform and package maintainers who care, I think
it does provide value, and the signing credentials likely don't change that
often.

Cheers,
-Barry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20160512/f758f451/attachment.sig>