[Python-Dev] Status of packaging in 3.3

Fri Jun 22 15:48:58 CEST 2012

On 22 June 2012 13:09, Vinay Sajip <vinay_sajip at yahoo.co.uk> wrote:
> Paul Moore <p.f.moore <at> gmail.com> writes:
>
>> Signed binaries may be a solution. My experience with signed binaries
>> has not been exactly positive, but it's an option. Presumably PyPI
>> would be the trusted authority? Would PyPI and the downloaders need to
>> use SSL? Would developers need to have signing keys to use PyPI? And
>> more to the point, do the people designing the packaging solutions
>> have experience with this sort of stuff (I sure don't )?
>
> I'm curious - what problems have you had with signed binaries?

As a user, I guess not that much. I may be misremembering bad
experiences with different things. We've had annoyances with
self-signed jars, and websites. It's generally more about annoying
"can't confirm this should be trusted, please verify" messages which
people end up just saying "yes" to (and so ruining any value from the
check).

But I don't know how often I have used them, to the extent that the
only time I'm aware of them is when they don't work silently (e.g., I
get a prompt asking if I want to trust this publisher - this is
essentially a failure, as I always say "yes" simply because I have no
idea how I would go about deciding that I do trust them, beyond what
I've already done in locating and downloading the software from them!)

> I dipped my toes
> in this particular pool with the Python launcher installers - I got a code
> signing certificate and signed my MSIs with it. The process was fairly painless.

OK, that's a good example, I didn't even realise those installers were
signed, making it an excellent example of how easy it can be when it
works.

But you say "I got a code signing certificate". How? When I dabbled
with signing, the only option I could find that didn't involve paying
and/or having a registered domain of my own was a self-signed
certificate, which from a UI point of view seems of little use "Paul
Moore says you should trust him. Do you? Yes/No"...

If signed binaries is the way we go, then we should be aware that we
exclude people who don't have certificates from uploading to PyPI.
Maybe that's OK, but without some sort of check I don't know how many
current developers that would exclude, let alone how many potential
developers would be put off.

A Python-supported build farm, which signed code on behalf of
developers, might alleviate this. But then we need to protect against
malicious code being submitted to the build farm, etc.

> As far as I know, all signing does is to indicate that the binary package hasn't
> been tampered with and allows the downloader to decide whether they trust the
> signer not to have allowed backdoors, etc. I don't see that it mandates use of
> SSL, or even signing, by anyone. At least some people will require that an
> installer be invokable with an option that causes it to bail if any part of
> what's being installed can't be verified (for some value of "verified").

Fair enough. I don't object to offering the option to verify
signatures (I think I said something like that in an earlier message).
I do have concerns about making signed code mandatory. (Not least over
whether it'd let me install my own unsigned code!)

Paul