[Python-Dev] Signed packages
Antoine Pitrou
solipsis at pitrou.net
Fri Jun 22 16:19:10 CEST 2012
On Fri, 22 Jun 2012 12:27:19 +0100
Paul Moore <p.f.moore at gmail.com> wrote:
>
> Signed binaries may be a solution. My experience with signed binaries
> has not been exactly positive, but it's an option. Presumably PyPI
> would be the trusted authority? Would PyPI and the downloaders need to
> use SSL? Would developers need to have signing keys to use PyPI? And
> more to the point, do the people designing the packaging solutions
> have experience with this sort of stuff (I sure don't :-))?
The ones signing the binaries would have to be the packagers, not PyPI.
Also, if packages are signed, you arguably don't need to use SSL when
downloading them (but SSL can still be useful for other purposes e.g.
navigating in the catalog).
PyPI-signing of packages would not achieve anything, since PyPI cannot
vouch for the quality and non-maliciousness of uploaded files. It would
only serve as a replacement for SSL downloads.
Regards
Antoine.
More information about the Python-Dev
mailing list