[Catalog-sig] PEP 243 - Module Repository Upload Mechanism

[Thomas Heller]

martin@v.loewis.de (Martin v. Loewis) writes:

> Thomas Heller <thomas.heller@ion-tof.com> writes:
> 
> > There is a security concern which has to be addressed, I'm aware of
> > that: when creating the signature you have to supply your passphrase
> > to the running distutils sdist or bdist_wininst command. I don't think
> > I like this.
> 
> Are you really supplying it to distutils? I'd expect that gpg could
> read it directly from the terminal...

No, I'm not supplying it to distutils. Maybe I wasn't clear, here is
the line of code:

  os.system("gpg --armor --output %s.asc --detach-sig %s" % (filename, filename))

and gpg reads it from the console.

The user, however, runs

  python setup.py sdist --sign --submit

and then is required to enter his passphrase. He might be concerned
where it goes...

Thomas