I was more pushing for the transitive trust element than signing. That
being said, any signing at all would be progress.
On Jun 1, 2017 9:07 PM, "Donald Stufft" <donald(a)stufft.io> wrote:
On Jun 1, 2017, at 8:15 PM, Matt Joyce <matt(a)nycresistor.com> wrote:
Or start doing signed pgp for package maintainers and build a transitive
trust model.
PGP is not useful for our use case except as a generic crypto primitive,
and there are better generic crypto primitives out there. …
[View More]See
https://caremad.io/posts/2013/07/packaging-signing-not-holy-grail/
—
Donald Stufft
[View Less]
Are we aware of this?
http://evilpackage.fatezero.org/
I recall there were a couple of these before which were taken down, but
someone appears to have made a cookiecutter template so you can very
easily claim names on PyPI, and anyone who installs that package will
submit their information to that site. A couple that are up at the
moment:
https://pypi.python.org/pypi/requirements-txt/1.1.1https://pypi.python.org/pypi/ztz/0.1.1
Do we delete them? Do we try to detect similar packages being …
[View More]uploaded
and block them? I suspect it's a waste of time to try to prevent this in
general, but maybe it's worth protecting likely names that people might
'pip install' by mistake, such as requirements-txt.
Thomas
[View Less]
Or start doing signed pgp for package maintainers and build a transitive
trust model.
On Jun 1, 2017 8:14 PM, wrote:
Force packages to match their higher level import namespace in future major
Python versions and PEP it.
On Jun 1, 2017 7:37 PM, "Noah Kantrowitz" <noah(a)coderanger.net> wrote:
> On Jun 1, 2017, at 4:00 PM, Nick Timkovich <prometheus235(a)gmail.com>
wrote:
>
> This issue was also brought up in January at https://github.com/pypa/pypi-
legacy/issues/585 …
[View More]then just as after the initial "typosquatting PyPI"
report (June 2016) it's met with resounding silence. Attacking the
messenger doesn't seem like a winning move from a security standpoint.
>
> Can we come up with a plan to address the underlying issue and protect
users?
If you have a systemic solution I'm sure we would love to hear it :)
--Noah
_______________________________________________
Distutils-SIG maillist - Distutils-SIG(a)python.org
https://mail.python.org/mailman/listinfo/distutils-sig
[View Less]
o/ Hello everyone,
I've been working on the Packaging User Guide and various discussions have
come up about the theme (
https://github.com/pypa/python-packaging-user-guide/issues/304) as well as
the common brand for PyPA projects (
https://github.com/pypa/python-packaging-user-guide/issues/62).
I'm proposing we switch PyPA projects (namely pypa.io, PyPUG, distlib, pip,
setuptools, virtualenv, warehouse, and wheel) to match the upstream CPython
docs for Python 3 (referred to as "pydoctheme").
…
[View More]Switching from the current readthedocs theme has a couple of advantages:
* Higher contrast and sans-serif fonts means better readability and
accessibility.
* Consistency with Python re-enforces that these are "official"/"blessed"
tools & documentation.
* A central shared theme among these projects allows us to make consistent
identity modifications across projects easily.
This work has been started on PyPUG (
https://github.com/pypa/python-packaging-user-guide/pull/305#issuecomment-3…).
I have staged a build of PyPUG using the new theme here (
http://temp.theadora.io/pypug-pydoctheme/index.html). Please take a look
and comment on github with any concerns, and by all means tell me I'm crazy
for trying to do this. :)
If the primary maintainers of these projects all agree, I will create the
theme package and submit PRs to all the projects to do this migration.
You'll only need to approve. From what I understand those people are
@dstufft, @pfmoore, @jaraco, @vsajip, @dholth, and @ncoglan, but please let
me know if I missed anyone (I'm still new!)
Thanks!
[View Less]