[Distutils] PEP draft on PyPI/pip package signing

Mon Jul 28 21:13:35 CEST 2014

On 28 July 2014 16:01, Giovanni Bajo <rasky at develer.com> wrote:
> I thus solicit a second round of review of my proposal; if you want me to upload to Google Docs for easier of commenting, I can do that as well.
> I would love to get the PEP to its final form and then ask for a pronouncement.

I have only scanned the initial part of the proposal thus far, but I
have some comments.

First of all, the proposal is well-written - I'm not a security expert
and my eyes very rapidly glaze over when reading security documents.
(I know what you mean about the TUF docs!) Your PEP was pretty easy
for me to follow, so many thanks for that :-)

Comments on the content:

* I assume that installation of unsigned packages would not need GPG
or any form of key download, and would work as now. That's crucial,
and without that, the proposal is a non-starter (consider pip running
in an environment not connected to the internet, installing local
builds that don't need signing and haven't been).
* I didn't look at how the signature metatata was supplied, but I
assume it would only be served from full indexes and not from
--find-links locations (relevant in the above scenario).
* I am strongly against pip depending on an external GPG. Even though
it may be a simple install, it may not be allowed in locked-down
environments, and on virtual machines and testing services (like
Travis or Appveyor) installing may be non-trivial or simply an
annoying extra step.
* Given that this leaves a pure-python GPG implementation, does one
exist? Is it robust? I wouldn't want to rely on a low-quality
implementation.
* Also, would it be fast enough? Speed of building virtualenvs has
always been something users care about (it was behind the development
of wheels for example) and a key-checking step could slow down builds
noticeably.
* Other tools would need changing as well. There's distlib, and PyPI
mirroring tools like devpi.
* There will always need to be an option to install unsigned packages,
even if it's only for local packages served up by a private index.

Also, a couple of points that are more related to the general idea of
"everything should be signed" - something that I don't disagree with
but I do have opinions on, as someone who's never actually published
anything on PyPI but probably will someday (I have an endless stream
of "nearly ready" stuff...) and who fears that the expectations that
maintainers are at least minimally organised might just exclude him
;-)

* I didn't see a discussion of what happens if a maintainer loses his
GPG key (not compromised, just lost - say he accidentally deleted his
only copy). Would he have to generate a new one and re-sign
everything? How would that affect users of his packages?
* Also what about a maintainer working on a different PC where he
doesn't have his key available? I guess the answer there may be
"tough, you can't maintain your package without your key available".
(How secure would services like SkyDrive and Dropbox be considered in
that regard? I normally work between 2 PCs where the only reliable
shared resource I have is SkyDrive).

These aren't directly related to the specifics of the proposal itself,
but might warrant a section addressing them...

Paul