[Catalog-sig] [Draft] Package signing and verification process
Ronald Oussoren
ronaldoussoren at mac.com
Thu Feb 7 11:08:06 CET 2013
On 6 Feb, 2013, at 22:15, Daniel Holth <dholth at gmail.com> wrote:
> On Wed, Feb 6, 2013 at 4:05 PM, Jesse Noller <jnoller at gmail.com> wrote:
>
>
> On Wednesday, February 6, 2013 at 4:02 PM, Donald Stufft wrote:
>
> > On Wednesday, February 6, 2013 at 4:01 PM, Vinay Sajip wrote:
> > > M.-A. Lemburg <mal <at> egenix.com (http://egenix.com)> writes:
> > >
> > > > Try gnupg-w32cli which is really easy to install and doesn't
> > > > get in your way:
> > > >
> > > > http://lists.gnupg.org/pipermail/gnupg-announce/2012q1/000313.html
> > >
> > > Or, to fast-track to the binaries, look in here:
> > >
> > > ftp://ftp.gnupg.org/gcrypt/binary/
> > >
> > > As MAL says, installation with these installers is fairly painless.
> > Average end user: "What's a GPG"
>
> Or even those of us familiar and using it day to day "Oh Jeez not again"
>
> That is why the original wheel signing design uses no GPG, a system that has proven to be unused in practice. Hypothesis: something different cannot possibly be less successful. Instead, it uses raw public key signatures implemented with very concise Python code. It might even automatically generate one for you if you have none. Wheel's scheme would be perfect for Plone which distributes long lists of all its dependencies, as they would just add the publisher key as an argument to each dependency. A new maintainer might receive a copy of the private key as keys are meant to be plentiful and contain no extra information such as e-mail addresses.
>
> Using ssh-agent to produce signatures with the user's ssh keys is another option.
>
> There is a complete Python implementation of TLS out there.
Implementing enough of PGP in python to do clear signing and verification shouldn't be too hard either :-)
What I haven't seen (or have overlooked) in the entire discussion is what we're trying to protect against. The thread kicked of due to a report of how to perform MITM attacks against PyPI, but it seems that some of the proposals want to provide much more security than that. Without a clear description of a threat model it is hard to evaluate if proposals actually fix anything.
Ronald
> _______________________________________________
> Catalog-SIG mailing list
> Catalog-SIG at python.org
> http://mail.python.org/mailman/listinfo/catalog-sig
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130207/b7529b02/attachment.html>
More information about the Catalog-SIG
mailing list