[Catalog-sig] [DRAFT] Proposal for fixing PyPI/pip security
Donald Stufft
donald.stufft at gmail.com
Sat Feb 9 23:23:06 CET 2013
On Saturday, February 9, 2013 at 4:23 PM, Giovanni Bajo wrote:
> Hello,
>
> my proposal for fixing PyPI and pip security is here:
> https://docs.google.com/a/develer.com/document/d/1DgQdDCZY5LiTY5mvfxVVE4MTWiaqIGccK3QCUI8np4k/edit#
>
> I tried to sum up the discussions we had here last week, elaborating on Heimes' proposal by simplifying it where I thought the additional steps wouldn't guarantee additional security. At this point, the proposal does not include a central, uber-master online GPG signing key to be stored on PyPI, which is IMO quite hard to handle correctly.
>
> Comments are welcome!
> --
> Giovanni Bajo :: rasky at develer.com (mailto:rasky at develer.com)
> Develer S.r.l. :: http://www.develer.com
>
> My Blog: http://giovanni.bajo.it
> _______________________________________________
> Catalog-SIG mailing list
> Catalog-SIG at python.org (mailto:Catalog-SIG at python.org)
> http://mail.python.org/mailman/listinfo/catalog-sig
>
>
>
>
> Attachments:
> - smime.p7s
>
Thanks for writing this up. I'll take a closer look at it later tonight (and i'm sure many other folks will as well!)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130209/fec6bc46/attachment.html>
More information about the Catalog-SIG
mailing list