[Distutils] vetting, signing, verification of release files

Christian Heimes christian at python.org
Tue Jul 16 12:38:03 CEST 2013

Am 16.07.2013 12:21, schrieb Jannis Leidel:
> On 16.07.2013, at 11:19, holger krekel <holger at merlinux.eu> wrote:
>> Any thoughts or pointers to existing efforts within the (Python) 
>> packaging ecologies?
> Erik Rose just released peep the other day [1], which admittedly doesn't use gpg but at least allows pip users to simplify the manual vetting process.

Peep is a bit scary because the author doesn't have much confidence in
his own crypto fu:

   "Proof of concept. Does all the crypto stuff. Should be secure."

Peep doesn't protect you from at least on DoS attack scenario. The tool
does neither verify nor limit the size of a downloaded file. In theory
an active attacker could make you download an arbitrarily large file in
order to clog your network pipes. Eventually your machine runs out of
disk space, too.

I'd feel much better if such a tool would verify both hashsum and file size.


More information about the Distutils-SIG mailing list