[Distutils] GnuPG signatures on PyPI: why so few?

[Glyph Lefkowitz]

> On Mar 13, 2017, at 9:23 PM, Nick Coghlan <ncoghlan at gmail.com> wrote:
> 
> On 14 March 2017 at 03:46, Steve Dower <steve.dower at python.org <mailto:steve.dower at python.org>> wrote:
> Another drive-by contribution: what if twine printed the hashes for anything it uploads with a message basically saying "here are the things you should publish somewhere for this release so people can check the validity of your packages after they download them"?
> 
> I suspect many publishers have never considered this is something they could or should do. Some very basic prompting could easily lead to it becoming part of the normal workflow.
> 
> Huh, and with most PyPI publishers using public version control systems, their source control repo itself could even serve as "a trusted channel that they control and the PyPI service can't influence". For example, the artifact hashes could be written out by default to:
> 
>     .released_artifacts/<version>/<artifact_name>.sha256
> 
> And if twine sees the hash file exists before it starts the upload, it could complain that the given artifact had already been published even before PyPI complains about it.

1. This sounds like it could be very cool.

2. Except, as stated - i.e. hashes without signatures - this just means we all trust Github rather than PyPI :).

3. A simple signing scheme, like https://minilock.io but for plaintext signatures rather than encryption <https://github.com/kaepora/miniLock/issues/198>, could potentially address this problem.

4. Cool as that would be, someone would need to design that thing first, and that person would need to be a cryptographer.

5. Now all you need to do is design a globally addressable PKI system.  Good luck everybody ;-).

-glyph

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20170313/82b6b512/attachment.html>