[Python-Dev] PEP 427 comment: code signing

Daniel Holth dholth at gmail.com
Tue Oct 23 13:16:57 CEST 2012 

On Tue, Oct 23, 2012 at 1:42 AM,  <martin at v.loewis.de> wrote:

> I'm also -1 on the notion that the entire key distribution matter is out
> of scope. With that approach, I feel that the package signing is essentially
> pointless.
>
> As a general note on this, this entire issue lacks a threat model:
> what kind of attack do you want to protect against? I can't think of
> any realistic threat that is effectively protected against with your
> signature scheme.

It is designed to protect against a man-in-the-middle attack. What if
I'm at pycon using an open access point? An attacker has proxied the
connection to provide malware instead of the correct packages.
Thankfully, the tahoe-lafs developers have sent me a PGP-signed
requirements file with the keys of all the dependencies they trust:

allmydata-tahoe[algorithmkey=YDWz8J6HAQc1V4_EoO-1cEGHSHjRd-5HYjj4hPCmSVZUZDm67-NngM2_XcMJOddXBv6xNLjK91DEn20KZCSFeBdMzeohE1YNq__4CT91StT0cQ_zhrQ1vwwwILZuOfgPmVep3lw2Jn3KVnl1PBw7P1WjuCctENxwuFz3NuWhER_uldA-0ted0SYKvvD5zI85epp8mRucxw0d7NUTdtTci7Hyx-ujTBDlTIB-tEIQ_9eJf9BznFuqvvfYf4qlfgjF4nvDgU1pQfbu6RSBOVdZEFgNqoPWV-Qo_4HjyKA7WG0Xk9OI92Jl3JkZRV2bP-KdRwbnUj7dyVSvhr2ilWx0s380epSSPLBByrmW8dkj_b8NJwSVk5J6rWMqKplINZlpWW5j3O1pn2U5e-XG6AWBNZd5r89MhXHhz2PA9CyGb7sINRljC716tdz-RYaFD2lScdszygNsMBvLHcyz9GQmjPtK4GhQQGrRyu40Q3BWJWq4l70pBBmG]

Twisted[algorithmkey=YDWz8J6HAQc1V4_EoO-1cEGHSHjRd-5HYjj4hPCmSVZUZDm67-NngM2_XcMJOddXBv6xNLjK91DEn20KZCSFeBdMzeohE1YNq__4CT91StT0cQ_zhrQ1vwwwILZuOfgPmVep3lw2Jn3KVnl1PBw7P1WjuCctENxwuFz3NuWhER_uldA-0ted0SYKvvD5zI85epp8mRucxw0d7NUTdtTci7Hyx-ujTBDlTIB-tEIQ_9eJf9BznFuqvvfYf4qlfgjF4nvDgU1pQfbu6RSBOVdZEFgNqoPWV-Qo_4HjyKA7WG0Xk9OI92Jl3JkZRV2bP-KdRwbnUj7dyVSvhr2ilWx0s380epSSPLBByrmW8dkj_b8NJwSVk5J6rWMqKplINZlpWW5j3O1pn2U5e-XG6AWBNZd5r89MhXHhz2PA9CyGb7sINRljC716tdz-RYaFD2lScdszygNsMBvLHcyz9GQmjPtK4GhQQGrRyu40Q3BWJWq4l70pBBmG]

...

and so on. I pip install --signed-only -r tahoe-requirements.txt (not
implemented yet) to install the application, knowing the packages come
from the publishers the app developer expected.

More information about the Python-Dev mailing list