On 8 Feb 2013 02:43, "Giovanni Bajo" <ra...@develer.com> wrote: > > Il giorno 07/feb/2013, alle ore 17:21, Donald Stufft < donald.stu...@gmail.com> ha scritto: > >> On Thursday, February 7, 2013 at 10:50 AM, Giovanni Bajo wrote: >> >> 1. If we're going to implicitly trust PyPI when it says that key X is valid for package Y, >> do we really gain much here? If we're trusting PyPI then we only really need secure >> ingress and egress neither of which need packaging signing. > > > Adding GPG signature on top of SSL helps mitigating (at least) the following concerns: > > 1) If a PyPI account password is compromised (stolen, bruteforced, etc.), an attacker cannot upload a package that will be installed by package managers. This also requires making sure that a GPG fingerprint cannot be added to the account without a second factor authentication (can be anything from a link to a security email address, to a SMS). Notice that PyPI passwords are currently saved in the filesystem in clear ($HOME/.pypirc).
Which reminds me, that system *really* should be replaced/supplemented with a time limited server generated auth token, the way Bugzilla and various other services do it. If need be, I can bug a couple of GPL RH projects to contribute their existing solutions to that problem, but there should be non-GPL examples kicking around the web already. Cheers, Nick.
_______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
