>> If we didn’t want to trust any binaries built by someone else or proprietary code, how much work would that be?
- Docker Notary (The Update Framework)
- PEP 458, PEP 480 (TUF)
- Host GPG .asc(s) for things you just found
## To build the whole toolchain yourself?
Build, Package, Install, Upgrade/Replace_with_new_container
- Makefile
- Conda-forge recipes with CI (meta.yaml, build.sh)
- [x] platform / architecture compilation optimizations
- [x] support for Windows (build.bat)
- [x] support for Mac & Linux (build.sh)
- conda constructor
- build an installer
- tar up the whole virtualenvwrapper virtualenv and unpack that into the exact same path in a container
- and check the .ASC
## To sign trusted releases:
- See: Warehouse & GPG, Wheel & signatures
- *The Update Framework*
- There are plans to merge support for TUF (which is designed to withstand package repo compromise) into Warehouse at some point, AFAIU.
TUF: The Update Framework
========================
- Docker Notary supports TUF
- TUF is mostly written in Python
- Python PEP458:
"Implement "hook" support for package signature verification."
## To build native packages for your package and the whole toolchain?
- fpm
- release keys (note that any key in the ring can sign for any package)
- docker/kubernetes
- conda-forge (Appveyor, CircleCI, Travis CI)
- OSX instances
fpm
=====
- { deb, rpm, osxpkg, tar, }
## To host package repositories yourselves:
Pulp
=====
## To sign releases uploaded to e.g. GitHub (which are CDN'd, AFAIU):
- Wheel had a native signing mechanism that's since been removed
- [ ] Attach a GPG .asc signature to the GitHub release
## To sign commits and merges:
- Configure a per-project GPG agent and keyring config
- Trust local datetimes
- Remember that `git push -f` can occur.
## Include SELinux filesystem labels with the package:
- This isn't possible with Python packaging (without extending setup.py with a custom command with a build dependency or calling out to a shell script that may be locatable with distutils.spawn.find_executable)