[Catalog-sig] PEP 243 - Module Repository Upload Mechanism

Thomas Heller thomas.heller@ion-tof.com
31 Oct 2002 11:24:24 +0100 

I've been playing with a PEP 243 implementation recently.

To remind you, this is Sean Reifschneider's Module Repository Upload
Mechanism PEP: http://www.python.org/peps/pep-0243.html .

With some inspiration from his Swalow code, and some help from
himself, I've played with a CGI script implenting this.

Different from the PEP, I've not used his X-Swalow-XXX headers to
return results to the uploader, instead the cgi-script returns a HTML
page (if submitted from a web-browser), or plain text (if called
programmatically).

Additionally to the swalow code, this script accepts an OpenPGP
compatible signature for the uploaded file, which I create with GnuPG.
I've patched distutils to accept --submit and --sign options for the
bdist_wininst and sdist commands, which will shell out to GnuPG to
create a signature for the created distribution, and then upload the
distribution to the server.

The cgi script itself verifies the signature again a keyring on the
server, and, if successful, moves the uploaded file to the public area.

Here's the transcript of a sample session:

  C:\pypan>python setup.py sdist --submit --sign
  running sdist
  reading manifest file 'MANIFEST'
  creating pypan-0.2
  creating pypan-0.2\PyPan
  copying files to pypan-0.2...
  copying README -> pypan-0.2
  copying make_packagelist.py -> pypan-0.2
  copying pypan.py -> pypan-0.2
  copying setup.py -> pypan-0.2
  copying PyPan\__init__.py -> pypan-0.2\PyPan
  copying PyPan\avail.py -> pypan-0.2\PyPan
  copying PyPan\install.py -> pypan-0.2\PyPan
  copying PyPan\installed.py -> pypan-0.2\PyPan
  copying PyPan\tarfile.py -> pypan-0.2\PyPan
  C:\Xilinx_ISE\bin\nt\zip.exe -rq dist\pypan-0.2.zip pypan-0.2
  removing 'pypan-0.2' (and everything under it)
  
  You need a passphrase to unlock the secret key for
  user: "Thomas Heller <theller@python.net>"
  1024-bit DSA key, ID B4985CBA, created 2002-10-24
  
  File `dist\pypan-0.2.zip.asc' exists. Overwrite (y/N)? y
  created dist\pypan-0.2.zip.asc
  submitting dist\pypan-0.2.zip
  ########
  uploader: saving as ./uploads/pypan-0.2.zip
  uploader: signature found
  uploader: Signature saved as ./uploads/pypan-0.2.zip.asc
  uploader: run 'gpg --batch --verify ./uploads/pypan-0.2.zip.asc ./uploads/pypan-0.2.zip 2>&1'
  
  gpg: Warning: using insecure memory!
  gpg: Signature made Thu Oct 31 04:48:23 2002 EST using DSA key ID B4985CBA
  gpg: Good signature from "Thomas Heller <theller@python.net>"
  gpg: WARNING: This key is not certified with a trusted signature!
  gpg:          There is no indication that the signature belongs to the owner.
  gpg: Fingerprint: DB49 621F C353 2ACF 4954  1DF3 5818 2B59 B498 5CBA
  
  uploader: seems to be a source archive file
  uploader: parsed ok
  uploader: final destination ./packages/uploaded/pypan-0.2.zip
  uploader: final destination ./packages/uploaded/pypan-0.2.zip.asc
  unknown filetype uploaded/pypan-0.2.zip.asc
  unknown filetype uploaded/pypan-0.2.win32.exe.asc
  unknown filetype packages.xml
  uploader: now 13 packages

The lines following the '#######' is the text returned by the CGI script.

There is a security concern which has to be addressed, I'm aware of
that: when creating the signature you have to supply your passphrase
to the running distutils sdist or bdist_wininst command. I don't think
I like this.

Comments?

Thomas