On 31 December 2014 at 17:43, Vladimir Diaz vladimir.v.diaz@gmail.com wrote:
PEP 480 includes a section that discusses a potential approach to packages signed by package authors: https://www.python.org/dev/peps/pep-0480/#automated-signing-solution
Let us know what you think.
Thanks for the pointer. I read the section you referred to (admittedly in isolation). The language is unfamiliar to me, so I'm afraid I didn't get much from it. For example, I don't know what miniLock is, so that analogy was no help. Also, the phrase "the sharing of private keys across multiple machines of each developer" didn't mean much other than to raise alarms for me that I might not be able to simply log onto a new machine (a VM, for example, or a work machine) and do a quick "git clone; hack; python setup.py upload" to release an emergency fix, as I'd need a private key with me (as opposed to a password I can remember), and I'd needto do something to "allow key sharing" . That would be annoying.
The "Enter a secondary password" note struck me as odd. Why would I need a second password? And why wouldn't I just reuse the same password as I use for PyPI? After all, I'm trusting that password hasn't been compromised, why make it harder on myself by needing to remember two passwords?
Terminology-wise, I don't know what "adding a new identity" means. Is that authorising a second developer? Or could I need to have multiple "identities" myself? The first is fine, the second isn't (I'm me, why do I need to have 2 identities just to upload a distribution)?
I'm aware of (and sorry about) the fact that this is very much a "drive by" scan of one section of the proposal in isolation. I hope it's still useful feedback, even if it's neither thorough nor particularly thoughtful - I was sort of aiming for "something is better than nothing", and that's all :-)
Anyway, I'll leave further comment to people with a better understanding of the issue, although I'm happy to clarify if any of the above isn't clear.
Paul.