[Distutils] vetting, signing, verification of release files

holger krekel holger at merlinux.eu
Wed Jul 17 09:03:27 CEST 2013

On Tue, Jul 16, 2013 at 13:57 -0400, Donald Stufft wrote:
> On Jul 16, 2013, at 5:19 AM, holger krekel <holger at merlinux.eu> wrote:
> > 
> > I am considering implementing gpg-signing and verification of release files
> > for devpi.  Rather than requiring package authors to sign their release
> > files, i am pondering a scheme where anyone can vet for a particular 
> > published release file by publishing a signature about it.  This aims
> > to help responsible companies to work together.  
> >
> So I'm not entirely sure what your goals are here.

The goal is to facilitate collaboration between individuals and companies
in vetting the integrity and, to some degree, authenticity of a published
pypi package.

> What exactly are you verifying? What is going to verify signatures once you have a (theoretically) trusted set? What is going to keep a malicious actor from poisoning the well?

These are typical questions which is why i asked if anyone knows
about existing schemes/efforts.  I guess most Linux distros do it already
so if nothing comes up here PyPI-specific (what is the status of TUF, btw?)
i am going to look into the distro's working models.  One difference is that
i want the vetting/signing to happen after publishing to allow for an 
incremental approach.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130717/4aa06d24/attachment.pgp>

More information about the Distutils-SIG mailing list