[Distutils] GnuPG signatures on PyPI: why so few?

Glyph Lefkowitz glyph at twistedmatrix.com
Sun Mar 12 15:51:13 EDT 2017 

> On Mar 12, 2017, at 5:13 AM, Ben Finney <ben+python at benfinney.id.au> wrote:
> 
> Paul Moore <p.f.moore at gmail.com> writes:
> 
>> One tool that needs improvement to be easier to use for this to happen
>> is GPG itself.
> 
> No disagreement from me on that. And indeed, the GnuPG project's chronic
> under-funding eventually drew attention from the new Core Infrastructure
> Initiative <URL:https://www.coreinfrastructure.org/gnupg> to improve it
> faster than was historically the case.
> 
> This is thanks in large part to the amazing work of Nadia Eghbal
> <URL:http://nadiaeghbal.com/oss> in drawing attention to how critical
> free software, such as GnuPG, benefits society enormously and must
> receive reliable funding from the organisations who benefit.
> 
> If anyone reading this works for any organisation that wants to ensure
> such critical free-software infrastructure continues to be consistently
> funded and maintained, encourage regular financial contribution to the
> Core Infrastructure Initiative <URL:https://www.coreinfrastructure.org/>
> or similar projects.

No disrespect to GPG's maintainers, who are indeed beleaguered and underfunded, but the poor usability of the tool isn't entirely down to a lack of resources.

One reason we may not want to require or even encourage the use of GPG is that GPG is bad.  Publishing your own heartfelt screed about why you used to like GPG but really, we need to abandon it now, has become the national sport of the information security community:

https://blog.cryptographyengineering.com/2014/08/13/whats-matter-with-pgp/
https://blog.filippo.io/giving-up-on-long-term-pgp/
https://moxie.org/blog/gpg-and-me/

These posts are talking a lot about email, but many of the problems are just fundamental; in particular the "museum of 90s crypto" aspect is fundamentally un-solvable within the confines of the OpenPGP specification.  "Unusable email clients" in this case could be replaced with "unusable packaging tooling".

If you're retrieving packages from PyPI over TLS, they're already cryptographically signed at the time of retrieval, by an entity with a very good reputation in the community (the PSF) that you already have to trust anyway because that's where Python comes from.  So if we could get away from GPG as a specific piece of tooling here and focus on the problem a detached GPG signature could solve, it's "direct trust of packagers rather than the index".

The only way that Debian maintainers can supply this trust metadata right now is to manually populate debian/upstream/signing-key.asc.  This is a terrible mechanism that is full of flaws, but requiring a human being to at least look at the keys is at least a potential benefit because maybe they'll notice that it's odd that the key got rotated.  If PyPI required signatures from everybody then it would be very tempting to skip this manual step and just retrieve the signing key from the PyPI account uploading the packages, which is the exact same guarantee you had before via the crypto TLS gave you (i.e. the PSF via PyPI makes some highly ambiguous attestation as to the authenticity of the package, basically just "its name matches") but now you're involving a pile of highly-complex software with fundamentally worse crypto than OpenSSL would have given you.

To summarize: Even if we only cared about supplying package upstreams to Debian (and that is a tiny part of PyPI's mission), right now, using the existing tooling of uscan and lintian, the only security value that could _possibly_ be conveyed here would be an out-of-band conversation between the maintainer and upstream about what their signing keys are and how the signing process works.  Any kind of automation would make it less likely that would happen, which means that providing tool support to automate this process would actually make things worse.

>> As a Windows user, I've "played" with it in the past, and found it
>> frustratingly difficult.
> 
> I hope many people here will find the guide published by the FSF, Email
> Self-Defense <URL:https://emailselfdefense.fsf.org/>, a useful walk
> through how to set it up properly.
> 
> -- 
> \     “I must say that I find television very educational. The minute |
>  `\       somebody turns it on, I go to the library and read a book.” |
> _o__)                                                    —Groucho Marx |
> Ben Finney
> 
> _______________________________________________
> Distutils-SIG maillist  -  Distutils-SIG at python.org
> https://mail.python.org/mailman/listinfo/distutils-sig

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20170312/f52293b8/attachment-0001.html>

More information about the Distutils-SIG mailing list