[Python-ideas] Signed eggs?
Tim Lesher
tlesher at gmail.com
Fri Jul 10 15:31:14 CEST 2009
On Fri, Jul 10, 2009 at 06:18, Paul Moore<p.f.moore at gmail.com> wrote:
> 2009/7/10 Stefan Behnel <stefan_ml at behnel.de>:
>> Tim Lesher wrote:
>>> In all the current discussion on python-dev about improving eggs and
>>> setuptools in general, I don't think I've seen anything regarding
>>> digitally signed eggs or verifiable egg distribution. Google doesn't
>>> seem to turn anything up, either.
>>>
>>> Has anyone put any thought into this?
>>
>> Well, you can sign all stuff that you upload to PyPI. It usually doesn't
>> get verified on installation, though.
>
> And you could write a PEP 302 installer to load & verify signed eggs.
> Nothing new here, other than no-one has wanted to do it so far.
Right--that's part of what I'm going to be doing for a current work project.
The rest is "where to store the signature" and "what inputs should
feed the signature calculation" and "how to verify the egg *without*
trying to import it".
If there were any past efforts (even failed ones) to do so, I was
curious to learn from those experiences. Sounds like it's a green
field, though.
> BTW, eggs and setuptools are a 3rd party package - there's nothing
> about them in core Python.
Correct--I misspoke. While eggs are probably the implementation
technique I'll be looking at, I was interested in any other attempts
in the past.
--
Tim Lesher <tlesher at gmail.com>
More information about the Python-ideas
mailing list