[Python-Dev] Signed packages
Floris Bruynooghe
flub at devork.be
Sat Jun 23 13:32:54 CEST 2012
Oh sorry, having read the thread this spawned from I see you're taking
about MS Windows singed binaries. Something I know next to nothing
about, so ignore my babbling.
On 23 June 2012 11:52, Floris Bruynooghe <flub at devork.be> wrote:
> On 22 June 2012 17:56, Donald Stufft <donald.stufft at gmail.com> wrote:
>> On Friday, June 22, 2012 at 12:54 PM, Alexandre Zani wrote:
>>
>> Key distribution is the real issue though. If there isn't a key
>> distribution infrastructure in place, we might as well not bother with
>> signatures. PyPI could issue x509 certs to packagers. You wouldn't be
>> able to verify that the name given is accurate, but you would be able
>> to verify that all packages with the same listed author are actually
>> by that author.
>>
>> I've been sketching out ideas for key distribution, but it's very much
>> a chicken and egg problem, very few people sign their packages (because
>> nothing uses it currently), and nobody is motivated to work on
>> infrastructure
>> or tooling because no one signs their packages.
>
>
> I'm surprised gpg hasn't been mentioned here. I think these are all
> solved problems, most free software that is signed signs it with the
> gpg key of the author. In that case all that is needed is that the
> cheeseshop allows the uploading of the signature. As for key
> distribution, the keyservers take care of that just fine and we'd
> probably see more and better attended signing parties at python
> conferences.
>
> Regards,
> Floris
--
Debian GNU/Linux -- The Power of Freedom
www.debian.org | www.gnu.org | www.kernel.org
More information about the Python-Dev
mailing list