[Catalog-sig] [Draft] Package signing and verification process

[Vinay Sajip]

Daniel Holth <dholth <at> gmail.com> writes:

> That is why the original wheel signing design uses no GPG, a system that has
> proven to be unused in practice.

It's not like there's some other PKI system which is so much easier to use that
it's a no-brainer, such that it has widespread adoption with the type of user
that Donald was talking about.

A lot of it is that people are very happy to trade security for convenience,
and you can't really have additional security with *no* loss of convenience
(though that loss may be small). Why, most of us can't even be bothered to read
on-line license terms and conditions, preferring to click the "I Agree" button
as soon as it appears!

In the Windows world, people are used to being prompted to accept a program
publisher's identity verified by a code-signing certificate, just like an SSL
certificate. Of course, you can have signed malware, as is in the news this
week.

With Python packages, you can't easily just trust one publisher, because of all
the recursive dependencies a package pulls in. It's mostly a blessing, but not
in this regard.

Regards,

Vinay Sajip