[Distutils] [tuf] Re: vetting, signing, verification of release files
holger at merlinux.eu
Thu Jul 18 10:36:47 CEST 2013
On Wed, Jul 17, 2013 at 21:46 -0400, Donald Stufft wrote:
> As I've mentioned before an online key (as is required by PyPI) means
> that if someone compromises PyPI they compromise the key. It seems to
> me that TUF is really designed to handle the case of the Linux
> distribution (or similar) where you have vetted maintainers who are
> given a subsection of the total releases. However PyPI does not have
> vetted authors nor the man power to sign authors keys offline.
If we had a person with a master key present at Pycon conferences,
package maintainers could walk up and have their key signed. Given
the many activities of the PSF and the community, i don't think it's
off-limits. If we have sig-verified installs, there would be an
incentive for authors to go for that little effort.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 490 bytes
Desc: Digital signature
More information about the Distutils-SIG