[Distutils] [Catalog-sig] [Python-Dev] accept the wheel PEPs 425, 426, 427

"Martin v. Löwis" martin at v.loewis.de
Tue Nov 13 18:23:35 CET 2012

> I want to remove distutils from the standard library. If that happens
> then we might want a secure way to install it from pypi. One way would
> be to include the public key used to sign distutils in Python's own
> signature-verifying bootstrap wheel installer, never mind whether it
> used ECDSA or RSA or Ed25519. Do you have a better idea? TUF?
> https://www.updateframework.com/wiki/SecuringPythonPackageManagement

It depends on the threat model - whose definition is key to any security

I'd say that providing the CA certificate of the CA, and to use https
for downloading, should be enough.

Alternatively, if the threat is that somebody may have hacked PyPI,
then hard-code the hash (SHA-3 if you are paranoid) in the Python
distribution, and rely on downloading a specific version from PyPI.

OTOH, I'm -1 on removing the code from Python in a way that it may
come back through downloading. Instead, it is much easier to keep
it included.


More information about the Distutils-SIG mailing list