[Distutils] RFC: PEP243: Module Repository Upload Mechanism
Amos Latteier
amos@digicool.com
Sun Mar 25 14:42:01 2001
On Sat, 24 Mar 2001 16:17:35 -0700 Sean Reifschneider
<jafo@tummy.com> wrote:
> Included below is the version of PEP243 after it's
> initial round of review.
> I welcome any feedback.
I've been looking at this PEP more closely, now that I'm
thinking about actually implementing it with my prototype
catalog server.
One question I have is how does the catalog verify who is
uploading the package. It seems that the only facility is
via a pgp signature. However, this signature seems to verify
the author, not the uploaded. Plus it's optional.
> signature (optional) -- A OpenPGP-compatible signature
[RFC2440]
> of the uploaded distribution as signed by the author.
This may be
> used by the cataloging system to automate acceptance of
uploads.
This means that the author must have some flavor of pgp and
must have signed the package before you upload it. Otherwise
the catalog has no way to associate a package with an
individual expect the author in the PGK-INFO file. This is
problematic from a security point of view. For example, I
can put Guido down as the author of my malicious package.
In my protype server folks who upload packages are verified
by email address. (Actually this is not implemented yet, but
will be soon. To get privledges to upload you will have to
provide an email address, and a password will be sent to
it.) So this way you can know the email address of the
person who uploaded the package. Of course, you can also use
pgp signatures to verify the author of the package, if there
is a signature available.
I like this system because it is light weight, and doesn't
require much overhead for the author or uploader. It
provides the downloader with some measure of information
about what they're downloading. And it allows you to provide
additional security information (pgp signatures) if you
wish.
If folks have other ideas about how to handle security I'd
love to hear about them. I'm no security expert.
In sum, I'd like to see the PEP address the issue of
identifying the uploader (who may or may not be the author)
of the package.
-Amos