[Distutils] PEP 458: Surviving a Compromise of PyPI: Round 1

[Nick Coghlan]

On 24 Nov 2013 00:58, "Paul Moore" <p.f.moore at gmail.com> wrote:
>
> On 22 November 2013 17:06, Justin Cappos <jcappos at nyu.edu> wrote:
> >> "unclaimed" project. What's this? What is the process of "claiming a
> >> project"? Is there a better terminology? This reads like picking
abandoned
> >> project or project without authorship.
> >
> >
> > Yes, it is essentially a project where the owner hasn't uploaded a
public
> > key to signal they will manage their own project.   So it seems like
you got
> > the gist of this from the name.
>
> Personally, I'm not too keen on the term "unclaimed". If I upload, own
> and manage a project but don't want to bother with the hassle of
> generating and managing signing keys, I don't think that means my
> project should be described by the (frankly, somewhat detrimental)
> term "unclaimed". "Unsigned" is accurate and specific - "unclaimed"
> sounds like I don't care about my project.

That sounds like an incentive for people to use offline keys to me - in
this scheme, that's a feature, not a bug.

Leaving PyPI packages unclaimed is unequivocally *bad*. The PEP only allows
it to ensure it isn't introducing new barriers to entry for software
distribution through PyPI.

We *don't* want people to have to trust the integrity of PyPI - the volume
of damage that can be done by a PyPI compromise is too high when it allows
malicious replacement of most packages. Getting developers to create and
register their own keys has problems of its own, but many manage to do it
effectively for ssh, and that's a closer model for the PEP than the GPG web
of trust.

Cheers,
Nick.

>
> Paul
> _______________________________________________
> Distutils-SIG maillist  -  Distutils-SIG at python.org
> https://mail.python.org/mailman/listinfo/distutils-sig
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20131124/8165c568/attachment.html>