On Thursday, February 7, 2013 at 10:04 AM, Giovanni Bajo wrote:
> Il giorno 07/feb/2013, alle ore 15:35, "M.-A. Lemburg" <[email protected] > (mailto:[email protected])> ha scritto: > > > On 07.02.2013 15:13, Giovanni Bajo wrote: > > > Il giorno 07/feb/2013, alle ore 12:55, "M.-A. Lemburg" <[email protected] > > > (mailto:[email protected])> ha scritto: > > > > > Can you please describe an attack that can be mounted against > > > > > PyPI/pip that is prevented by having this additional signature? > > > > > > > > > > > > > > > > This is not about preventing some kind of attack. It's to simplify > > > > the setup for the user of PyPI (via the package manager). > > > > > > > > The user will no longer have to install several tens or even > > > > hundreds of different uploader GPG keys locally just to be able > > > > to verify the downloads. Instead, just the PyPI key is needed. > > > > > > > > I think that's important to not disrupt the PyPI user experience. > > > > > > > > Additionally, as already mentioned by Lennart, all the GPG interaction > > > > could be handled by the package managers. > > > > > > > > > > > > > > > Yes, but *all* of the above requirements can be obtained by simply having > > > PyPI tell pip "key ABCD1234 is authoritative for package django". pip can > > > then tell GPG to go getting the key automatically from a first-party or > > > third-party keyserver (eg: launchpad). > > > > > > I'm absolutely *not* suggesting the user to go downloading tons of GPG > > > keys manually. > > > > I don't think anyone would want to have pip installing hundreds > > of PyPI uploader GPG keys locally, even less so, if just one is > > enough :-) > > > > OK so we need to both make happy Jesse that doesn't even want pip to run GPG > under the hood without him even realizing that gpg exists and is being used > as a crypto primitive, and you that want to keep a clean keychain that might > become too cluttered by too many keys :) > > I'm sure Jesse doesn't care if the GPG keychain (which he doesn't even want > to have) becomes too cluttered, because he doesn't even want to learn how to > dump the keychain contents, or to install a GUI tool to inspect it. I think > this will be the case for the large majority of users that simpy run "apt-get > install gpg" once and then forget about it and go on with their normal pip > work (with a fully transparent level of additional security). > It's less about keeping "me" happy: I'm fine with a model that if GPG exists, it's used, silently (not linked against in any way though in core Python - license incompatible). My concern is users needing to *use* and *understand* how to use GPG/OpenPGP - to quote someone: "I'm really skeptical about the GPG parts of this. If "install GPG" is the first step of uploading a package to PyPI, I think a ton of people will just skip it. No matter how well-documented it is." There's some other discussion on the google doc some of us have been using to triage the current situation with pypi (send me a google id, and I'll share it) - I haven't had a chance to distill it into human form yet. jesse _______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
