On 6/2/13 9:01 AM, Nick Coghlan wrote:
On Sun, Jun 2, 2013 at 10:09 PM, Donald Stufft
wrote: If we deploy some sort of end to end signing I think TUF is a good implementation of it.
I'm not sold on the possibility of reasonably doing end to end signing here though.
I think in the long run it's a technology we want to offer, but even with it deployed PyPI would continue to act as a trusted intermediary in most cases. Effective key management is such a PITA that only a few larger projects would be in a real position to take direct advantage of end-to-end signing - for the remaining projects, trusting PyPI not to get compromised is already the status quo.
Yes, key management could be a real PITA if we do not consider usability. In our design proposal, we talked about how to try to maximize usability and security, by keeping the truly critical keys offline (which would be used rarely), and the not-so-critical keys online (which means that automation can easily use them). We will be working on TUF and PyPI full-time this summer. As I write this, we are introducing additional security mechanisms for some cases which arise frequently; e.g. how do we tell TUF to put more trust in packages from a stable-release role versus a bleeding-edge role?