[Distutils] vetting, signing, verification of release files
Donald Stufft
donald at stufft.io
Tue Jul 16 19:57:45 CEST 2013
On Jul 16, 2013, at 5:19 AM, holger krekel <holger at merlinux.eu> wrote:
>
> I am considering implementing gpg-signing and verification of release files
> for devpi. Rather than requiring package authors to sign their release
> files, i am pondering a scheme where anyone can vet for a particular
> published release file by publishing a signature about it. This aims
> to help responsible companies to work together. I've heart from devops/admins
> that they manually download and check release files and then install
> it offline after some vetting. Wouldn't it be useful to turn this
> into a more collaborative effort?
>
> Any thoughts or pointers to existing efforts within the (Python)
> packaging ecologies?
>
> best,
> holger
>
> _______________________________________________
> Distutils-SIG maillist - Distutils-SIG at python.org
> http://mail.python.org/mailman/listinfo/distutils-sig
So I'm not entirely sure what your goals are here.
What exactly are you verifying? What is going to verify signatures once you have a (theoretically) trusted set? What is going to keep a malicious actor from poisoning the well?
-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130716/2335b488/attachment.pgp>
More information about the Distutils-SIG
mailing list