[Python-Dev] PEP 427 comment: code signing

martin at v.loewis.de martin at v.loewis.de
Tue Oct 23 00:20:27 CEST 2012


Zitat von Daniel Holth <dholth at gmail.com>:

> Why are you using Ed25519 and JWS instead of PGP, S/MIME, or ECDSA?
>     Wheel's signing scheme is designed to protect against cryptography
>     that is not used.  Wheel tries to encourage signing by making it very
>     fast and easy.  Signature verification is encouraged by including
>     the signature in the archive itself rather than making it a separate
>     download, and by including a Python implementation of the entire
>     signing system in the reference implementation.
>
>     JWS and Ed25519 yield small, pure-Python implementations.  Ed25519
>     is fast enough that public-key cryptography can be considered for
>     applications where it was traditionally too slow to be used, so
>     wheels can be signed without worrying about performance.

I believe this analysis of reasons for not using cryptography is incorrect.
Speed never is an issue in deciding whether or not to use cryptographic
algorithms, today (except for cases with very limited CPU capabilities).
Instead, the primary reason for not choosing cryptography is ease-of-use.

For that reason, I still think that using an established algorithm would
be the better choice. I remain -1 on this choice.

Regards,
Martin




More information about the Python-Dev mailing list