[Distutils] Surviving a Compromise of PyPI - PEP 458 and 480

Nick Coghlan ncoghlan at gmail.com
Fri Jan 2 17:26:56 CET 2015

On 3 January 2015 at 02:12, Donald Stufft <donald at stufft.io> wrote:

> On Jan 2, 2015, at 10:51 AM, Nick Coghlan <ncoghlan at gmail.com> wrote:
> Getting them to manage additional keys, and get them signed and registered
> appropriately, and then supplying them is going to be a similar amount of
> work, and the purpose is far more cryptic and confusing. My proposal is
> basically that instead of asking developers to manage signing keys, we
> should instead be ask them to manage account on a validation server (or
> servers).
> I need to think more about the rest of what you’ve said (and I don’t think
> it’s a short term problem), but I just wanted to point out that “managing
> keys” can be as simple as “create a secondary pass(word|phrase) and
> remember it/write it down/whatever”. It doesn’t need to be “secure this
> file and copy it around to all of your computers”. Likewise there’s no
> reason that “delegate authority to someone else” can’t be something like
> ``twine add-maintainer pip pfmoore``.

Yeah, I'm confident that the UI can be made relatively straightforward
regardless of how we make the actual validation work. The part I haven't
got the faintest clue how to do for the PEP 480 version is building viable
"folks models" of what those commands are doing on the back end that will
give people confidence that they understand what is going on just from
using the tools, rather than leaving them wondering why they need a
secondary password, etc.

>From a technical perspective, I don't think the validation server idea is
superior to PEP 480. Where I think it's superior is that I'm far more
confident in my ability to explain to a developer with zero security
background how separate validation servers provide increased security, as
the separation of authority would be structural in addition to
mathematical. While the real security would still be coming from the maths,
a folk model that believes it is coming from the structural separation
between the publication server and the metadata validation servers will be
good enough for most practical purposes, and unless someone is particularly
interested in the mathematical details, they can largely be handwaved away
with "the separation of responsibilities between the services is enforced


Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20150103/296d4001/attachment-0001.html>

More information about the Distutils-SIG mailing list