[Distutils] Remove the "Mirror Authenticity" API

Donald Stufft donald at stufft.io
Sun Sep 29 03:05:00 CEST 2013

I believe we should remove the /serverkey and /serversig/* API's from PyPI.

* I am not aware of *any* implementation that actually verifies packages against this API

* In the light of PEP449 users now make a very conscious choice of which mirror they are
   using, which means they are no longer downloading random things from indiscriminate

* It uses DSA, which is a cryptographic primitive where if you reuse the random number or
   *any* bias in your random number you completely leak the private key. Given the nature
   of PyPI it's completely possible for a malicious user to essentially create an unbounded
   number of signatures making it more likely that a random nonce will be reused.

* Moving forward something like TUF is a much better answer to the problems this attempts
   to solve as well as other problems.

So it's basically unused with questionable primitives and better solutions exist.

Does anyone have any objections to this being removed?

Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130928/0ae47030/attachment.sig>

More information about the Distutils-SIG mailing list