On Thursday, February 7, 2013 at 10:50 AM, Giovanni Bajo wrote:
1. If we're going to implicitly trust PyPI when it says that key X is valid for
package Y,
do we really gain much here? If we're trusting PyPI then we only really
need secure
ingress and egress neither of which need packaging signing.
2. Any solution that includes the step "install GPG" is going to leave a
significant
portion of people without it. If the tools mandate GPG then people won't
upgrade,
if the tools don't mandate it people will skip that step. We (probably)
won't be
using GPG's trust model so it ends up being just a "dumb" signature method
of
which there are multiple. If we're going to sign packages we should be
looking at
something that we can ship out of the box with Python proper at least in
future
releases. (And I really didn't want to get into Bikeshedding Signature
methods :/ ).
Let's keep in mind a few things:
- The right answer might be "not to sign packages", With proper
egress/ingress protections
we have a huge avenue of attack solved. Slapping signatures that don't
buy us anything
additional but introduce complexity is a net loss.
- This isn't an urgent pressing issue. Make sure we take the time to
explore all the options,
including the take no action option, and arrive at a good solution.
- A lot of this discussion is going around in circles because there are no
parameters, threat
model, requirements, or anything else of that nature. It would be more
useful at this point
to figure out what exactly we are trying to achieve before running off
half cocked to achieve
"something with package signatures".
_______________________________________________
Catalog-SIG mailing list
[email protected]
http://mail.python.org/mailman/listinfo/catalog-sig
