Tue, 21 Jun 2016 17:23:59 -0700, Nathaniel Smith kirjoitti:
On Jun 21, 2016 14:37, "Evgeni Burovski" <evgeny.burovskiy@gmail.com> wrote:
One question --- equally applicable to both pre-release and final releases: Security. If we download the wheels from the build farm and then upload to PyPI, how can a user check that what they download has not be tampered with?
For source tarballs (and previously, Windows installers), we PGP sign the git tag and include checksums in the README file. This way they can at least verify the checksums.
I'm dubious that this really accomplishes much: https://caremad.io/2013/07/packaging-signing-not-holy-grail/
Well, security is best done in depth, and signing source tarballs is little extra work. That article talks about package signing, but it is only from the point of view of a random user. If it later becomes necessary to try to find out whether some tarballs are compromised by someone replacing release files on Github (or sourceforge injecting adware) etc., this is possible for me to do. I have my own key, and the keys by Ralf and Evgeni that I know are with high likelihood valid (assuming their laptops are not compromised). -- Pauli Virtanen