[Distutils] PEP draft on PyPI/pip package signing

Donald Stufft donald at stufft.io
Tue Jul 29 04:09:07 CEST 2014


On July 28, 2014 at 9:48:05 PM, Donald Stufft (donald at stufft.io) wrote:
> > > > >> 2. What level of damage mitigation are we aiming to attain  
> in the event of a full PyPI
> > compromise? (i.e. attacker has full control over absolutely  
> everything published
> > from PyPI)
> > > >
> > > > I’m not sure I understand the question or how it differs from  
> the previous one. The thread
> > model section on "PyPI server compromise” in my PEP has some  
> details though.
> > >
> > > And it amounts to minimal additional defence beyond where  
> we are today.
> > >
> > Yes. I don’t claim otherwise either.
>  
> I'm not sure I'm understanding you correctly, if you don't claim  
> that this PEP
> provides more than minimal additional defense beyond where  
> we are today, then
> what is the point of it? Why would we replace something that already  
> exists
> for something that doesn't exist and is more complex if it doesn't  
> provide
> more than a minimal amount of additional defense?

Ok, Richard pointed out to me that this is probably saying you don't claim it
does in this one particular aspect and not in general. If that is the case then
I retract this question.

--  
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA


More information about the Distutils-SIG mailing list