[Distutils] Surviving a Compromise of PyPI - PEP 458 and 480

Donald Stufft donald at stufft.io
Fri Jan 2 12:21:20 CET 2015

> On Jan 2, 2015, at 6:04 AM, Paul Moore <p.f.moore at gmail.com> wrote:
> On 2 January 2015 at 06:38, Donald Stufft <donald at stufft.io> wrote:
>> Developer keys get signed by offline keys controlled by I’m guessing either
>> myself or Richard or both.
> One thought here. The issue being discussed here seems mainly to be
> that it's hard to manage signing of developer keys. That's certainly
> one issue, but another is that the signing process takes time. When I
> set up my first project [1], I did so because I had an idea one
> afternoon, knocked up the first draft and set up the project. If there
> had been a delay of a week because you and Richard were both on
> holiday (or even a day, because of timezones) I may not have bothered
> - I tend to only have the opportunity to work on things for Python in
> pretty short bursts.
> You could argue that we don't want projects on PyPI that have been set
> up with so little preparation - it's a valid position to take - but
> that's a separate matter. I just want to make the point that
> management isn't the only issue here. Turnaround time is also a
> barrier to entry that needs to be considered. And not every project
> that people want to publish is something major like requests or
> django...
> Paul
> [1] I assume I only need to set up a key once, for my PyPI account. If
> I need an individual key per project, the cost multiplies. And it
> means that the barrier is to all new projects, rather than merely to
> attracting new developers.

To be clear, there is zero delay in being able to publish a new project, the
delay is between moving from a new project being validated by an online key
to an offline key. The only real difference between validation levels is that
until it's been signed by an offline key then people installing that project
are vulnerable to someone compromising PyPI. This is because until the
delegation of project X to a specific developer has been signed the "chain of
trust" contains a key that is sitting on the harddrive of PyPI.

However, once a delegation of Project X _has_ been signed changing that
delegation would need waiting until the next time the delegations were signed
by the offline keys. This is because once a project is signed by an offline
key then all further changes to the delegation require offline signing.

In addition, this does not mean (I believe! we should verify this) that the
owner of a project cannot further delegate to other people without delay, since
they'll be able to sign that delegation with their own keys and won't require
intervention from PyPI.

So really it looks like this (abbreviated, not exactly, etc):

root (offline)
|- PyPI Admins (offline)
   |- "Unclamined" (online)
      |- New Project that hasn't yet been signed for by PyPI Admins
         (offline, owned by author)
   |- Existing Project that has already been signed for by PyPI Admins
      (offline, owned by author)

The periodic signing process by the PyPI admins just moves a new project from
being signed for by the "Unclaimed" online key to being signed for by our
offline keys. This process is basically invisible to everyone involved.

Does that make sense?

Donald Stufft
PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

More information about the Distutils-SIG mailing list