On Mar 20, 2013, at 12:31 PM, Nick Coghlan <ncoghlan@gmail.com> wrote:
On Wed, Mar 20, 2013 at 9:03 AM, Steve Dower <Steve.Dower@microsoft.com> wrote:
From: Nick Coghlan [mailto:ncoghlan@gmail.com] [snip]
I was pointed to an interesting resource: http://www.lfd.uci.edu/~gohlke/pythonlibs/
(The security issues with that arrangement are non-trivial, but the convenience factor is huge)
FWIW, one of the guys on our team has met with Christoph and considers him trustworthy.
Thanks, that's great to know, and ties into an idea that I just had. In addition to whether or not the build is trusted, there's also the risk of MITM attacks against the download site (less so when automated installers aren't involved, but still a risk). We just switched PyPI over to HTTPS for that very reason.
The idle thought I had was that it may be useful if PyPI users could designate other users as "repackagers" for their project, and PyPI offered an interface that was *just* file uploads for an existing release.
I *think* if done properly a TUF secured API can be setup so as that you can delegate the role for signing certain files is delegated, but I'm not sure.
Then the pip developers, for example, could say "we trust Christoph to make our Windows installers", and grant him repackager access so he could upload the binaries for secure redistribution from PyPI rather than needing to host them himself.
We'd probably want something like this for an effective build farm system anyway, this way it could work regardless of whether it was a human or an automated system converting the released sdists to platform specific binaries.
Cheers, Nick.
-- Nick Coghlan | ncoghlan@gmail.com | Brisbane, Australia _______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org http://mail.python.org/mailman/listinfo/distutils-sig
----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA