Re: [Distutils] PyPI and GPG Signatures

2016-05-12 Thread Barry Warsaw
On May 12, 2016, at 04:34 PM, Donald Stufft wrote: >So my response to this is, let's pretend for a minute that we have the >greatest and most amazing setup for verifying that the key 0x6E3CBCE93372DCFA >belongs to me. What's your next step? How do you verify that I'm allowed to >release for pip?

Re: [Distutils] PyPI and GPG Signatures

2016-05-12 Thread Nathaniel Smith
On May 12, 2016 4:41 AM, "Donald Stufft" wrote: > [...] > All in all, I think that there is not a whole lot of point to having this > feature in PyPI, it is predicated a bunch of invalid assumptions (as detailed > above) and I do not believe end users are actually even using the

Re: [Distutils] PyPI and GPG Signatures

2016-05-12 Thread Barry Warsaw
On May 12, 2016, at 07:41 AM, Donald Stufft wrote: >I am aware of a single tool anywhere that actively supports verifying the >signatures that people upload to PyPI, and that is Debian's uscan >program. Even in that case the people writing the Debian watch file have to >hardcode in a signing key

Re: [Distutils] PyPI and GPG Signatures

2016-05-12 Thread Jeremy Stanley
On 2016-05-12 07:41:21 -0400 (-0400), Donald Stufft wrote: [...] > What do folks think? Would anyone be particularly against getting > rid of the GPG support in PyPI? We have plans[*] in the OpenStack community to start autosigning our sdist and wheel builds (and similar release artifacts we

Re: [Distutils] PyPI and GPG Signatures

2016-05-12 Thread Donald Stufft
> On May 12, 2016, at 8:56 AM, Nick Coghlan wrote: > > On 12 May 2016 at 21:41, Donald Stufft wrote: >> Thus, I would like to remove this feature from PyPI (but not from PEP 503, if >> other repositories want to continue to support it they are free to).

Re: [Distutils] PyPI and GPG Signatures

2016-05-12 Thread Nick Coghlan
On 12 May 2016 at 21:41, Donald Stufft wrote: > Thus, I would like to remove this feature from PyPI (but not from PEP 503, if > other repositories want to continue to support it they are free to). Doing > this > would allow simplifying code we have in Warehouse anyplace we

Re: [Distutils] PyPI and GPG Signatures

2016-05-12 Thread Donald Stufft
> On May 12, 2016, at 8:05 AM, Paul Moore wrote: > > On 12 May 2016 at 12:41, Donald Stufft wrote: >> What do folks think? Would anyone be particularly against getting rid of the >> GPG support in PyPI? > > 28K projects is too many to do a mailshot, but

Re: [Distutils] PyPI and GPG Signatures

2016-05-12 Thread Paul Moore
On 12 May 2016 at 12:41, Donald Stufft wrote: > What do folks think? Would anyone be particularly against getting rid of the > GPG support in PyPI? 28K projects is too many to do a mailshot, but would it be worth asking this question more widely than on distutils-sig? Just "Do

[Distutils] PyPI and GPG Signatures

2016-05-12 Thread Donald Stufft
Currently, PyPI allows you to upload a GPG signature along with your package file as well as associate a GPG Short ID with your user. Theoretically this allows end users to not trust PyPI and instead validate end to end signatures from the original author. I've written [1] previously about