[Distutils] vetting, signing, verification of release files

holger krekel holger at merlinux.eu
Wed Jul 17 10:16:40 CEST 2013

On Wed, Jul 17, 2013 at 07:48 +0000, Vinay Sajip wrote:
> holger krekel <holger <at> merlinux.eu> writes:
> > about existing schemes/efforts.  I guess most Linux distros do it already
> > so if nothing comes up here PyPI-specific (what is the status of TUF, btw?)
> > i am going to look into the distro's working models.
> ISTM it works for distros because they're the central authority guaranteeing
> the provenance of the software in their repos. It's harder with PyPI because
> it's not a central authority curating the content. Perhaps something like a
> web of trust would be needed.

I am thinking about curating release files _after_ publishing and
then configuring install activities to require "signed-off" release files.
Basically giving companies and devops the possibility to organise their
vetting processes and collaborate, without requiring PyPI to change first.
This certainly involves the question of trust but if nothing else an entity
can at least trust its own signatures :)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130717/7d119417/attachment.pgp>

More information about the Distutils-SIG mailing list