[Distutils] vetting, signing, verification of release files
holger krekel
holger at merlinux.eu
Wed Jul 17 09:03:27 CEST 2013
On Tue, Jul 16, 2013 at 13:57 -0400, Donald Stufft wrote:
> On Jul 16, 2013, at 5:19 AM, holger krekel <holger at merlinux.eu> wrote:
>
> >
> > I am considering implementing gpg-signing and verification of release files
> > for devpi. Rather than requiring package authors to sign their release
> > files, i am pondering a scheme where anyone can vet for a particular
> > published release file by publishing a signature about it. This aims
> > to help responsible companies to work together.
> >
> So I'm not entirely sure what your goals are here.
The goal is to facilitate collaboration between individuals and companies
in vetting the integrity and, to some degree, authenticity of a published
pypi package.
> What exactly are you verifying? What is going to verify signatures once you have a (theoretically) trusted set? What is going to keep a malicious actor from poisoning the well?
These are typical questions which is why i asked if anyone knows
about existing schemes/efforts. I guess most Linux distros do it already
so if nothing comes up here PyPI-specific (what is the status of TUF, btw?)
i am going to look into the distro's working models. One difference is that
i want the vetting/signing to happen after publishing to allow for an
incremental approach.
cheers,
holger
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130717/4aa06d24/attachment.pgp>
More information about the Distutils-SIG
mailing list