[Catalog-sig] getting the public key when --sign is used

Donald Stufft donald.stufft at gmail.com
Tue Nov 20 20:31:55 CET 2012


On Tuesday, November 20, 2012 at 2:17 PM, M.-A. Lemburg wrote:
> I wonder how systems like Debian or the various RPM-based ones
> deal with the problem.

OS packages are a little different since they use one key to sign 
the entire repository. They tend to use a rolling key so that they
can expire keys overtime without having to deal with forcing everyone
to find out how to get a key over insecure means.

If they needed to revoke a key there should be other keys that
can sign the package, and if they needed to revoke all the keys
then they'd need to start over for the original trust distribution. I'm
not aware if they have any contingencies in place for "need to fix
the entire trust database".

Since there are fewer keys they can also make better assertions
about how secure those keys are. Since every author has a key
it's important to be able to revoke them because the chances
of any one individual author needing to do so is larger than that
of Debian.

As a side note, this type of system also needs to know who
is allowed to sign for what particular package names. This data
must be communicated securely, and it must require authorization
from the existing keys to confirm the additional (or allow the user
to force it to override). This cannot simply be a flag in PyPI.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20121120/9e273c4c/attachment-0001.html>


More information about the Catalog-SIG mailing list