+1 --Noah
On Sep 28, 2013, at 8:05 PM, Donald Stufft <don...@stufft.io> wrote: > I believe we should remove the /serverkey and /serversig/* API's from PyPI. > > * I am not aware of *any* implementation that actually verifies packages > against this API > > * In the light of PEP449 users now make a very conscious choice of which > mirror they are > using, which means they are no longer downloading random things from > indiscriminate > mirrors. > > * It uses DSA, which is a cryptographic primitive where if you reuse the > random number or > *any* bias in your random number you completely leak the private key. Given > the nature > of PyPI it's completely possible for a malicious user to essentially create > an unbounded > number of signatures making it more likely that a random nonce will be > reused. > > * Moving forward something like TUF is a much better answer to the problems > this attempts > to solve as well as other problems. > > So it's basically unused with questionable primitives and better solutions > exist. > > Does anyone have any objections to this being removed? > > ----------------- > Donald Stufft > PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA > > _______________________________________________ > Distutils-SIG maillist - Distutils-SIG@python.org > https://mail.python.org/mailman/listinfo/distutils-sig
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
