[Catalog-sig] getting the public key when --sign is used
mal at egenix.com
Tue Nov 20 20:17:33 CET 2012
Donald Stufft wrote:
> On Tuesday, November 20, 2012 at 3:41 AM, M.-A. Lemburg wrote:
>> For the second requirement, updating the .asc file would be
>> a solution. Alternatively, the packagers could check the revocation
>> date and then still allow packages to be installed which were signed
>> before the revocation happened.
> No, if a key is revoked it can no longer be used. I may discover that
> my key has been compromised months after it was actually compromised
> I would then revoke it. I have no idea if the person who (in the hypothetical)
> signed any packages with my key, or for how long they've been doing so.
> Once a key is revoked you must not trust it for anything.
Good point, even though that makes it very difficult to deal with
the validity of signatures on older packages - the package author
may no longer be in possession of the needed bits to sign those
packages again or do a re-upload.
Hmm, perhaps just signing the hash value is good enough. Those
would be stored on PyPI and remain accessible.
I wonder how systems like Debian or the various RPM-based ones
deal with the problem.
eGenix.com Professional Python Services directly from the Source
>>> Python/Zope Consulting and Support ... http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
::: Try our new mxODBC.Connect Python Database Interface for free ! ::::
eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
Registered at Amtsgericht Duesseldorf: HRB 46611
More information about the Catalog-SIG