<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Jun 1, 2017 at 10:46 PM, Pandu Poluan <span dir="ltr"><<a href="mailto:pepoluan@gmail.com" target="_blank">pepoluan@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><div><div><div><div><div><div><div><div>+1 for transitive trust.<br><br></div>At the base/simplest level, `pip` would trust any packages trusted by PyPI.<br><br></div>More advanced users / more security-oriented installation can add additional "required trusts".<br><br></div>Maybe another special "PyPI Curator" pseudo-user. All packages whose signing key is trusted by PyPI *and* PyPI Curator can be deemed trustworthy.<br></div></div></div></div></div></div></div></blockquote><div><br></div><div>Ha!</div><div><br></div><div>"Implement "hook" support for package signature verification"</div><div><a href="https://github.com/pypa/pip/issues/1035">https://github.com/pypa/pip/issues/1035</a></div><div><br></div><div>- TUF (The Update Framework)</div><div><br></div><div> - (How does this work with DevPi / mirroring?)</div><div><br></div><div>- <a href="https://github.com/pypa/pip/issues/1035#issuecomment-302766580">https://github.com/pypa/pip/issues/1035#issuecomment-302766580</a></div><div> - re: blockchain, **blockcerts** (because which keyserver is up right now?)</div><div><br></div><div>Note that:</div><div><br></div><div>- Projects define { install_requires, extras_require, } in setup.py</div><div> - setup.py is not declarative: you must execute setup.py to determine the value of install_requires for the current platform</div><div> - so, PyPi **can't** know which dependencies setup.py might list when run on a given machine</div><div> - this essentially requires recursive eval of remote code (it must run each and every setup.py)</div><div> - which is basically the exercise: download lots of executable source from hopefully trusted third parties over a hopefully secure channel</div><div><br></div><div> - this is relevant to a trust framework because the whole objective would be to "maximally verify" the trust chain for the whole dependency graph; but the dependency graph isn't known until after things are unpacked and executed</div><div> - ... which eventually brings us to: "we could/should teach devs to sign VCS commits and releases (e.g. before they're repackaged, patche, and then signed again by e.g. a linux distro)</div><div><br></div><div>- Retrieiving the dependency metadata for a project which MAY define conditional dependencies in a setup.py does require executing the setup.py (which does indeed complicate efforts to solve a dependency graph (and a trust graph) </div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><div><div><div><div><div><br></div>And if in a highly secure environment, probably internal curators. Which means that installation of packages will require three (or more) trusts: PyPI, PyPI Curator, <a href="mailto:curator-1@example.com" target="_blank">curator-1@example.com</a>, <a href="mailto:curator-2@example.com" target="_blank">curator-2@example.com</a>, etc.<br></div></div></div></div></div></div></blockquote><div><br></div><div>So, if this (curator approval / LikeAction / AssessAction ) does or does not occur, where should the metadata regarding who and why be stored?</div><div><br></div><div>From <a href="http://markmail.org/search/?q=list%3Aorg.python+LikeAction#query:list%3Aorg.python%20LikeAction+page:1+mid:e2xbsb2guxagtshc+state:results">http://markmail.org/search/?q=list%3Aorg.python+LikeAction#query:list%3Aorg.python%20LikeAction+page:1+mid:e2xbsb2guxagtshc+state:results</a><br></div><div><p style="padding:0px;margin:0px;color:rgb(0,0,0);font-family:Arial,Helvetica,"Luxi Sans",sans-serif;font-size:14.4px;white-space:pre"><br class="gmail-Apple-interchange-newline"></p><blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" class="gmail_quote">In terms of <a href="http://schema.org">schema.org</a>, a Django Packages resource has:
* [ ] a unique URI<br>* [ ] typed features (predicates with ranges)<br>* [ ] <a class="exlink gmail-mklink" href="http://schema.org/review" rel="nofollow" style="color:rgb(0,0,153)">http://schema.org/review<br></a>* [ ] <a class="exlink gmail-mklink" href="http://schema.org/VoteAction" rel="nofollow" style="color:rgb(0,0,153)">http://schema.org/VoteAction<br></a>* [ ] <a class="exlink gmail-mklink" href="http://schema.org/LikeAction" rel="nofollow" style="color:rgb(0,0,153)">http://schema.org/LikeAction</a></blockquote><div><br></div><div>- <a href="https://schema.org/AssessAction">https://schema.org/AssessAction</a></div><div> - <a href="https://schema.org/ReviewAction">https://schema.org/ReviewAction</a> </div><p></p></div><div>... "curated"</div><div><br></div><div>- "[Distutils] Maintaining a curated set of Python packages"</div><div> <a href="http://markmail.org/search/?q=list%3Aorg.python+curated#">http://markmail.org/search/?q=list%3Aorg.python+curated#</a>"</div><div>query:list%3Aorg.python%20curated+page:1+mid:ibnoqnovjxp3gavi+state:results</div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><div><div><div><div><br></div><div>(The relationship need not be simple boolean AND, but can also be implemented as a score system. For examply, PyPI has weight 0.5, PyPI Curator has weight 1.0, internal company curators have weights 2.0 (> PyPI + PyPI Curator), and minimum acceptable score is 5.5, meaning that the package must be trusted by PyPI, PyPI Curator, and at least 2 internal company curators.) </div></div></div></div></div></div></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><div><div><div><div></div><div><br></div>We can even create multiple levels of "PyPI Curator":<br><br></div>* PyPI Trusted Authors -- automagically trust well-known 'authors'<br></div>* PyPI Voted Trust -- packages voted by a committee (or by minimum N users) to be trustworthy<br></div>* PyPI Audited Trust -- packages that had gone through a more thorough code audit / code review<br></div></div></blockquote><div><br></div><div>This data would be most useful if it could be merged into one graph and linked to a stable per-package URI.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><br></div><div><br></div>Rgds,<br>--<br><div><div><div><div><div><div><div><div><br></div></div></div></div></div></div></div></div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail-m_1659886005465685633gmail_signature">FdS Pandu E Poluan<br>~ IT Optimizer ~<br><br> • LOPSA Member #15248<br> • Blog : <a href="http://pandu.poluan.info/blog/" target="_blank">http://pandu.poluan.info/blog/</a><br> • Linked-In : <a href="http://id.linkedin.com/in/pepoluan" target="_blank">http://id.linkedin.com/in/<wbr>pepoluan</a><br></div></div>
<br><div class="gmail_quote"><div><div class="gmail-h5">On Fri, Jun 2, 2017 at 9:33 AM, Matt Joyce <span dir="ltr"><<a href="mailto:matt@nycresistor.com" target="_blank">matt@nycresistor.com</a>></span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div class="gmail-h5"><div dir="auto">I was more pushing for the transitive trust element than signing. That being said, any signing at all would be progress.</div><div class="gmail-m_1659886005465685633HOEnZb"><div class="gmail-m_1659886005465685633h5"><div class="gmail_extra"><br><div class="gmail_quote">On Jun 1, 2017 9:07 PM, "Donald Stufft" <<a href="mailto:donald@stufft.io" target="_blank">donald@stufft.io</a>> wrote:<br type="attribution"><blockquote class="gmail-m_1659886005465685633m_8154662348545154847quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div style="word-wrap:break-word"><div class="gmail-m_1659886005465685633m_8154662348545154847quoted-text"><br><div><blockquote type="cite"><div>On Jun 1, 2017, at 8:15 PM, Matt Joyce <<a href="mailto:matt@nycresistor.com" target="_blank">matt@nycresistor.com</a>> wrote:</div><br class="gmail-m_1659886005465685633m_8154662348545154847m_5552483010415643758Apple-interchange-newline"><div><div dir="auto">Or start doing signed pgp for package maintainers and build a transitive trust model.</div><div class="gmail_extra"><br></div></div></blockquote><br></div><div><br></div></div><div>PGP is not useful for our use case except as a generic crypto primitive, and there are better generic crypto primitives out there. See <a href="https://caremad.io/posts/2013/07/packaging-signing-not-holy-grail/" target="_blank">https://caremad.io/posts/2<wbr>013/07/packaging-signing-not-h<wbr>oly-grail/</a></div><br><div>
<div style="color:rgb(0,0,0);font-family:Helvetica;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word"><br>—<font color="#888888"><br>Donald Stufft<br></font></div><div style="color:rgb(0,0,0);font-family:Helvetica;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word"><br></div><br class="gmail-m_1659886005465685633m_8154662348545154847m_5552483010415643758Apple-interchange-newline">
</div>
<br></div></blockquote></div><br></div>
</div></div><br></div></div><span class="gmail-">______________________________<wbr>_________________<br>
Distutils-SIG maillist - <a href="mailto:Distutils-SIG@python.org" target="_blank">Distutils-SIG@python.org</a><br>
<a href="https://mail.python.org/mailman/listinfo/distutils-sig" rel="noreferrer" target="_blank">https://mail.python.org/mailma<wbr>n/listinfo/distutils-sig</a><br>
<br></span></blockquote></div><br></div>
<br>______________________________<wbr>_________________<br>
Distutils-SIG maillist - <a href="mailto:Distutils-SIG@python.org">Distutils-SIG@python.org</a><br>
<a href="https://mail.python.org/mailman/listinfo/distutils-sig" rel="noreferrer" target="_blank">https://mail.python.org/<wbr>mailman/listinfo/distutils-sig</a><br>
<br></blockquote></div><br></div></div>