On 6/2/13 9:01 AM, Nick Coghlan wrote:
On Sun, Jun 2, 2013 at 10:09 PM, Donald Stufft <don...@stufft.io> wrote:
If we deploy some sort of end to end signing I think TUF is a good
implementation of it.
I'm not sold on the possibility of reasonably doing end to end signing here
though.
I think in the long run it's a technology we want to offer, but even
with it deployed PyPI would continue to act as a trusted intermediary
in most cases. Effective key management is such a PITA that only a few
larger projects would be in a real position to take direct advantage
of end-to-end signing - for the remaining projects, trusting PyPI not
to get compromised is already the status quo.
Yes, key management could be a real PITA if we do not consider
usability. In our design proposal, we talked about how to try to
maximize usability and security, by keeping the truly critical keys
offline (which would be used rarely), and the not-so-critical keys
online (which means that automation can easily use them).
We will be working on TUF and PyPI full-time this summer. As I write
this, we are introducing additional security mechanisms for some cases
which arise frequently; e.g. how do we tell TUF to put more trust in
packages from a stable-release role versus a bleeding-edge role?
_______________________________________________
Distutils-SIG maillist - Distutils-SIG@python.org
http://mail.python.org/mailman/listinfo/distutils-sig
