[Distutils] PGP keys required? (Re: PEP 243)
krjackson at lbl.gov
Tue Feb 3 14:39:40 EST 2004
On Feb 3, 2004, at 2:01 AM, M.-A. Lemburg wrote:
> Perhaps distutils should simply start to add MD5 or SHA hash
> sums of the created archives to the meta-data which gets uploaded
> to e.g. PyPI. That way, the user can easily see whether a mirror
> has the correct packages or not. Better than nothing, I'd say,
> and easy to implement even without having to go through all the
> PKI stuff :-)
I'm all in favor of associating hashes with all packages that get
uploaded. My real question is how do we prevent a black hat from
uploading a new version of M2Crypto, or PyOpenSSL that has been
trojaned. As long as they changed the hash values, and I haven't cached
them locally, I'd have no way of knowing. I can point to real examples
of this happening in the open-source world.
It would be fine with me if we could come up with a scheme where only
package authors and the PyPI people need to deal with PKI. As part of
the upload I could sign a copy of the SHA1 hash value for the package.
This could be a detached PGP sig, an S/MIME sig, I don't care, although
I think PGP would probably be best for our community. The PyPI could
have a key, and then do signing BoF's at OSCON and PyCon, etc.
I don't think this should be mandatory today, but I would hate to see
us design a system that wouldn't support rudimentary security. I think
we do it so only the hashes are used for now by actual users. That way
we avoid any export laws and other such nonsense. All the PGP stuff
could be done at the cli, or as part of the auto submission process.
More information about the Distutils-SIG