[Distutils] Surviving a Compromise of PyPI - PEP 458 and 480

Paul Moore p.f.moore at gmail.com
Wed Dec 31 19:04:36 CET 2014

On 31 December 2014 at 17:43, Vladimir Diaz <vladimir.v.diaz at gmail.com> wrote:
> PEP 480 includes a section that discusses a potential approach to packages
> signed by package authors:
> https://www.python.org/dev/peps/pep-0480/#automated-signing-solution
> Let us know what you think.

Thanks for the pointer. I read the section you referred to (admittedly
in isolation). The language is unfamiliar to me, so I'm afraid I
didn't get much from it. For example, I don't know what miniLock is,
so that analogy was no help. Also, the phrase "the sharing of private
keys across multiple machines of each developer" didn't mean much
other than to raise alarms for me that I might not be able to simply
log onto a new machine (a VM, for example, or a work machine) and do a
quick "git clone; hack; python setup.py upload" to release an
emergency fix, as I'd need a private key with me (as opposed to a
password I can remember), and I'd needto do something to "allow key
sharing" . That would be annoying.

The "Enter a secondary password" note struck me as odd. Why would I
need a *second* password? And why wouldn't I just reuse the same
password as I use for PyPI? After all, I'm trusting that password
hasn't been compromised, why make it harder on myself by needing to
remember two passwords?

Terminology-wise, I don't know what "adding a new identity" means. Is
that authorising a second developer? Or could I need to have multiple
"identities" myself? The first is fine, the second isn't (I'm me, why
do I need to have 2 identities just to upload a distribution)?

I'm aware of (and sorry about) the fact that this is very much a
"drive by" scan of one section of the proposal in isolation. I *hope*
it's still useful feedback, even if it's neither thorough nor
particularly thoughtful - I was sort of aiming for "something is
better than nothing", and that's all :-)

Anyway, I'll leave further comment to people with a better
understanding of the issue, although I'm happy to clarify if any of
the above isn't clear.


More information about the Distutils-SIG mailing list