On Tue, Oct 23, 2012 at 1:42 AM, <mar...@v.loewis.de> wrote: > I'm also -1 on the notion that the entire key distribution matter is out > of scope. With that approach, I feel that the package signing is essentially > pointless. > > As a general note on this, this entire issue lacks a threat model: > what kind of attack do you want to protect against? I can't think of > any realistic threat that is effectively protected against with your > signature scheme.
It is designed to protect against a man-in-the-middle attack. What if I'm at pycon using an open access point? An attacker has proxied the connection to provide malware instead of the correct packages. Thankfully, the tahoe-lafs developers have sent me a PGP-signed requirements file with the keys of all the dependencies they trust: allmydata-tahoe[algorithmkey=YDWz8J6HAQc1V4_EoO-1cEGHSHjRd-5HYjj4hPCmSVZUZDm67-NngM2_XcMJOddXBv6xNLjK91DEn20KZCSFeBdMzeohE1YNq__4CT91StT0cQ_zhrQ1vwwwILZuOfgPmVep3lw2Jn3KVnl1PBw7P1WjuCctENxwuFz3NuWhER_uldA-0ted0SYKvvD5zI85epp8mRucxw0d7NUTdtTci7Hyx-ujTBDlTIB-tEIQ_9eJf9BznFuqvvfYf4qlfgjF4nvDgU1pQfbu6RSBOVdZEFgNqoPWV-Qo_4HjyKA7WG0Xk9OI92Jl3JkZRV2bP-KdRwbnUj7dyVSvhr2ilWx0s380epSSPLBByrmW8dkj_b8NJwSVk5J6rWMqKplINZlpWW5j3O1pn2U5e-XG6AWBNZd5r89MhXHhz2PA9CyGb7sINRljC716tdz-RYaFD2lScdszygNsMBvLHcyz9GQmjPtK4GhQQGrRyu40Q3BWJWq4l70pBBmG] Twisted[algorithmkey=YDWz8J6HAQc1V4_EoO-1cEGHSHjRd-5HYjj4hPCmSVZUZDm67-NngM2_XcMJOddXBv6xNLjK91DEn20KZCSFeBdMzeohE1YNq__4CT91StT0cQ_zhrQ1vwwwILZuOfgPmVep3lw2Jn3KVnl1PBw7P1WjuCctENxwuFz3NuWhER_uldA-0ted0SYKvvD5zI85epp8mRucxw0d7NUTdtTci7Hyx-ujTBDlTIB-tEIQ_9eJf9BznFuqvvfYf4qlfgjF4nvDgU1pQfbu6RSBOVdZEFgNqoPWV-Qo_4HjyKA7WG0Xk9OI92Jl3JkZRV2bP-KdRwbnUj7dyVSvhr2ilWx0s380epSSPLBByrmW8dkj_b8NJwSVk5J6rWMqKplINZlpWW5j3O1pn2U5e-XG6AWBNZd5r89MhXHhz2PA9CyGb7sINRljC716tdz-RYaFD2lScdszygNsMBvLHcyz9GQmjPtK4GhQQGrRyu40Q3BWJWq4l70pBBmG] ... and so on. I pip install --signed-only -r tahoe-requirements.txt (not implemented yet) to install the application, knowing the packages come from the publishers the app developer expected. _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
