On Jan 2, 2015, at 6:04 AM, Paul Moore firstname.lastname@example.org wrote:
On 2 January 2015 at 06:38, Donald Stufft email@example.com wrote:
Developer keys get signed by offline keys controlled by I’m guessing either myself or Richard or both.
One thought here. The issue being discussed here seems mainly to be that it's hard to manage signing of developer keys. That's certainly one issue, but another is that the signing process takes time. When I set up my first project , I did so because I had an idea one afternoon, knocked up the first draft and set up the project. If there had been a delay of a week because you and Richard were both on holiday (or even a day, because of timezones) I may not have bothered
You could argue that we don't want projects on PyPI that have been set up with so little preparation - it's a valid position to take - but that's a separate matter. I just want to make the point that management isn't the only issue here. Turnaround time is also a barrier to entry that needs to be considered. And not every project that people want to publish is something major like requests or django...
 I assume I only need to set up a key once, for my PyPI account. If I need an individual key per project, the cost multiplies. And it means that the barrier is to all new projects, rather than merely to attracting new developers.
To be clear, there is zero delay in being able to publish a new project, the delay is between moving from a new project being validated by an online key to an offline key. The only real difference between validation levels is that until it's been signed by an offline key then people installing that project are vulnerable to someone compromising PyPI. This is because until the delegation of project X to a specific developer has been signed the "chain of trust" contains a key that is sitting on the harddrive of PyPI.
However, once a delegation of Project X _has_ been signed changing that delegation would need waiting until the next time the delegations were signed by the offline keys. This is because once a project is signed by an offline key then all further changes to the delegation require offline signing.
In addition, this does not mean (I believe! we should verify this) that the owner of a project cannot further delegate to other people without delay, since they'll be able to sign that delegation with their own keys and won't require intervention from PyPI.
So really it looks like this (abbreviated, not exactly, etc):
root (offline) |- PyPI Admins (offline) |- "Unclamined" (online) |- New Project that hasn't yet been signed for by PyPI Admins (offline, owned by author) |- Existing Project that has already been signed for by PyPI Admins (offline, owned by author)
The periodic signing process by the PyPI admins just moves a new project from being signed for by the "Unclaimed" online key to being signed for by our offline keys. This process is basically invisible to everyone involved.
Does that make sense?
Donald Stufft PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA