[SciPy-Dev] [Numpy-discussion] scipy 0.18 release candidate 1
Nathaniel Smith
njs at pobox.com
Thu Jun 23 14:47:37 EDT 2016
On Jun 23, 2016 11:23 AM, "Pauli Virtanen" <pav at iki.fi> wrote:
>
> Tue, 21 Jun 2016 17:23:59 -0700, Nathaniel Smith kirjoitti:
>
> > On Jun 21, 2016 14:37, "Evgeni Burovski" <evgeny.burovskiy at gmail.com>
> > wrote:
> >>
> >> One question --- equally applicable to both pre-release and final
> >> releases: Security. If we download the wheels from the build farm and
> >> then upload to PyPI, how can a user check that what they download has
> >> not be tampered with?
> >>
> >> For source tarballs (and previously, Windows installers), we PGP sign
> >> the git tag and include checksums in the README file. This way they can
> >> at least verify the checksums.
> >
> > I'm dubious that this really accomplishes much:
> > https://caremad.io/2013/07/packaging-signing-not-holy-grail/
>
> Well, security is best done in depth, and signing source tarballs is
> little extra work.
>
> That article talks about package signing, but it is only from the point
> of view of a random user.
>
> If it later becomes necessary to try to find out whether some tarballs
> are compromised by someone replacing release files on Github (or
> sourceforge injecting adware) etc., this is possible for me to do. I have
> my own key, and the keys by Ralf and Evgeni that I know are with high
> likelihood valid (assuming their laptops are not compromised).
I believe the question was specifically about wheels that aren't being
built by any of those three people though? But anyway, yeah, that is the
main situation where this kind of package signing might help, and which I
addressed in the second half of the email :-). But note that it would also
work just as well to, say, keep a text file in the scipy repo that has the
sha256 of every file uploaded to pypi. (Maybe even better, because someone
who attacked pypi could delete the PGP signatures to confuse matters, and
do you have backups?)
-n
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/scipy-dev/attachments/20160623/599d8fd0/attachment.html>
More information about the SciPy-Dev
mailing list