[Distutils] GnuPG signatures on PyPI: why so few?
Nick Coghlan
ncoghlan at gmail.com
Tue Mar 14 02:52:14 EDT 2017
On 14 March 2017 at 15:48, Glyph Lefkowitz <glyph at twistedmatrix.com> wrote:
>
> 2. Except, as stated - i.e. hashes without signatures - this just means we
> all trust Github rather than PyPI :).
>
Yeah, HTTPS would still be a common point of compromise - that kind of
simple scheme would just let the repo hosting and PyPI serve as
cross-checks on each other, such that you had to compromise both (or the
original publisher's system) in order to corrupt both the published
artifact *and* the publisher's record of the expected artifact hash.
It would also be enough to let publishers check that the artifacts that
PyPI is serving match what they originally uploaded - treating it as a QA
problem as much as a security one.
Cheers,
Nick.
--
Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20170314/27bf11a7/attachment.html>
More information about the Distutils-SIG
mailing list