[Distutils] [tuf] Re: vetting, signing, verification of release files

holger krekel holger at merlinux.eu
Thu Jul 18 10:36:47 CEST 2013

On Wed, Jul 17, 2013 at 21:46 -0400, Donald Stufft wrote:
> As I've mentioned before an online key (as is required by PyPI) means
> that if someone compromises PyPI they compromise the key. It seems to
> me that TUF is really designed to handle the case of the Linux
> distribution (or similar) where you have vetted maintainers who are
> given a subsection of the total releases. However PyPI does not have
> vetted authors nor the man power to sign authors keys offline.

If we had a person with a master key present at Pycon conferences,
package maintainers could walk up and have their key signed.  Given
the many activities of the PSF and the community, i don't think it's
off-limits.  If we have sig-verified installs, there would be an
incentive for authors to go for that little effort.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130718/09d15f97/attachment.pgp>

More information about the Distutils-SIG mailing list