On 07.02.2013 15:13, Giovanni Bajo wrote: > Il giorno 07/feb/2013, alle ore 12:55, "M.-A. Lemburg" <m...@egenix.com> ha > scritto: >>> Can you please describe an attack that can be mounted against PyPI/pip that >>> is prevented by having this additional signature? >> >> This is not about preventing some kind of attack. It's to simplify >> the setup for the user of PyPI (via the package manager). >> >> The user will no longer have to install several tens or even >> hundreds of different uploader GPG keys locally just to be able >> to verify the downloads. Instead, just the PyPI key is needed. >> >> I think that's important to not disrupt the PyPI user experience. >> >> Additionally, as already mentioned by Lennart, all the GPG interaction >> could be handled by the package managers. > > > Yes, but *all* of the above requirements can be obtained by simply having > PyPI tell pip "key ABCD1234 is authoritative for package django". pip can > then tell GPG to go getting the key automatically from a first-party or > third-party keyserver (eg: launchpad). > > I'm absolutely *not* suggesting the user to go downloading tons of GPG keys > manually.
I don't think anyone would want to have pip installing hundreds of PyPI uploader GPG keys locally, even less so, if just one is enough :-) I, for one, certainly wouldn't want to have my keyring cluttered up with all those GPG keys, or managing the trust state of all those keys to prevent GPG warnings such as: gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Having PyPI sign the file would also provide a possibility to keep files, for which the uploader key was later revoked or which expired, in a verifiable state. > I will draft an updated document, based on Heimes' proposal, so that we can > all synchronize. Ok. -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Feb 07 2013) >>> Python Projects, Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ ::::: Try our mxODBC.Connect Python Database Interface for free ! :::::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ _______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
