Nick, Renaming the PEPs is not problem. Perhaps "PEP 458: Securing the Link from PyPI to the End User" is another option. I am going to read the Rick Walsh paper you've linked and give some careful thought to your proposal. I'll get back to you. I had one person (off-list and recommending how to better explain 480 to non-specialists) say, "the property PEP 480 gives is that developers who sign their project protect their users even if PyPI is compromised. This is because end users are told to trust the developer keys over the keys that are kept on the PyPI server. (PyPI administrators still have a way of using keys that are kept in secure, offline storage to recover if a developer's keys are lost or stolen.)" Yes, you gotta love those "aha" moments - you're in the shower and go to grab the shampoo bottle when it hits you, "aha! That's the solution... Thank you, shampoo bottle of 'Head & Shoulders'" On Fri, Jan 2, 2015 at 11:26 AM, Nick Coghlan <ncoghlan@gmail.com> wrote:
On 3 January 2015 at 02:12, Donald Stufft <donald@stufft.io> wrote:
On Jan 2, 2015, at 10:51 AM, Nick Coghlan <ncoghlan@gmail.com> wrote:
Getting them to manage additional keys, and get them signed and registered appropriately, and then supplying them is going to be a similar amount of work, and the purpose is far more cryptic and confusing. My proposal is basically that instead of asking developers to manage signing keys, we should instead be ask them to manage account on a validation server (or servers).
I need to think more about the rest of what you’ve said (and I don’t think it’s a short term problem), but I just wanted to point out that “managing keys” can be as simple as “create a secondary pass(word|phrase) and remember it/write it down/whatever”. It doesn’t need to be “secure this file and copy it around to all of your computers”. Likewise there’s no reason that “delegate authority to someone else” can’t be something like ``twine add-maintainer pip pfmoore``.
Yeah, I'm confident that the UI can be made relatively straightforward regardless of how we make the actual validation work. The part I haven't got the faintest clue how to do for the PEP 480 version is building viable "folks models" of what those commands are doing on the back end that will give people confidence that they understand what is going on just from using the tools, rather than leaving them wondering why they need a secondary password, etc.
From a technical perspective, I don't think the validation server idea is superior to PEP 480. Where I think it's superior is that I'm far more confident in my ability to explain to a developer with zero security background how separate validation servers provide increased security, as the separation of authority would be structural in addition to mathematical. While the real security would still be coming from the maths, a folk model that believes it is coming from the structural separation between the publication server and the metadata validation servers will be good enough for most practical purposes, and unless someone is particularly interested in the mathematical details, they can largely be handwaved away with "the separation of responsibilities between the services is enforced mathematically".
Cheers, Nick.
-- Nick Coghlan | ncoghlan@gmail.com | Brisbane, Australia