[Distutils] self.introduce(distutils-sig)

Donald Stufft donald at stufft.io
Wed Mar 20 19:30:53 CET 2013 

On Mar 20, 2013, at 12:31 PM, Nick Coghlan <ncoghlan at gmail.com> wrote:

> On Wed, Mar 20, 2013 at 9:03 AM, Steve Dower <Steve.Dower at microsoft.com> wrote:
>>> From: Nick Coghlan [mailto:ncoghlan at gmail.com]
>>> [snip]
>>> 
>>> I was pointed to an interesting resource:
>>> http://www.lfd.uci.edu/~gohlke/pythonlibs/
>>> 
>>> (The security issues with that arrangement are non-trivial, but the
>>> convenience factor is huge)
>> 
>> FWIW, one of the guys on our team has met with Christoph and considers him trustworthy.
> 
> Thanks, that's great to know, and ties into an idea that I just had.
> In addition to whether or not the build is trusted, there's also the
> risk of MITM attacks against the download site (less so when automated
> installers aren't involved, but still a risk). We just switched PyPI
> over to HTTPS for that very reason.
> 
> The idle thought I had was that it may be useful if PyPI users could
> designate other users as "repackagers" for their project, and PyPI
> offered an interface that was *just* file uploads for an existing
> release.

I *think* if done properly a TUF secured API can be setup so as that you can delegate the role for signing certain files is delegated, but I'm not sure.

> 
> Then the pip developers, for example, could say "we trust Christoph to
> make our Windows installers", and grant him repackager access so he
> could upload the binaries for secure redistribution from PyPI rather
> than needing to host them himself.
> 
> We'd probably want something like this for an effective build farm
> system anyway, this way it could work regardless of whether it was a
> human or an automated system converting the released sdists to
> platform specific binaries.
> 
> Cheers,
> Nick.
> 
> -- 
> Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia
> _______________________________________________
> Distutils-SIG maillist  -  Distutils-SIG at python.org
> http://mail.python.org/mailman/listinfo/distutils-sig


-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130320/eef61123/attachment.pgp>

More information about the Distutils-SIG mailing list