[Distutils] PGP keys required? (Re: PEP 243)

M.-A. Lemburg mal at egenix.com
Tue Feb 3 05:01:01 EST 2004

Moore, Paul wrote:
> From: Keith Jackson [mailto:krjackson at lbl.gov]
>>A single S/MIME email from you or Jack would totally suffice for me
> for 
>>the short term. That way I could look in the archive, verify the sig, 
>>and know that the hashes are valid. (Assuming you and Jack aren't 
>>really black hats. :)
> Ironically, that message just came through with an "invalid digital
> signature" warning. I've no idea what Outlook (yes, I know, so sue me)
> considers in making this judgement, but I no longer trust anything you
> say, in case you are not who you say you are :-)

FWIW, the PSF will start creating a web of trust which should
allow you to trust signatures if you see them on the web without
actually knowing the person owning the signature.

> On a more serious note, this demonstrates why I don't trust digital
> signatures much. Unless this really *was* someone else masquerading as
> Keith, what do I do? I've never seen a genuinely hacked download, to my
> knowledge, but I *have* seen warnings and errors from invalid
> signatures.
> So ignoring signature errors is the correct approach, based on the
> evidence I have encountered!
> I'm not trying to argue the case, just to demonstrate how the world
> looks
> from the POV of security-naive people like me...

Perhaps distutils should simply start to add MD5 or SHA hash
sums of the created archives to the meta-data which gets uploaded
to e.g. PyPI. That way, the user can easily see whether a mirror
has the correct packages or not. Better than nothing, I'd say,
and easy to implement even without having to go through all the
PKI stuff :-)

Marc-Andre Lemburg

Professional Python Services directly from the Source  (#1, Feb 03 2004)
 >>> Python/Zope Consulting and Support ...        http://www.egenix.com/
 >>> mxODBC.Zope.Database.Adapter ...             http://zope.egenix.com/
 >>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
2004-01-23: Released mxODBC.Zope.DA 1.0.8        http://zope.egenix.com/

::: Try mxODBC.Zope.DA for Windows,Linux,Solaris,FreeBSD for free ! ::::

More information about the Distutils-SIG mailing list