Jesse Noller gmail.com> writes:
> It's less about keeping "me" happy: I'm fine with a model that if GPG exists,
> it's used, silently (not linked against in any way though in core Python -
> license incompatible).
Right, but it may be OK for pip (or other Python tool with a non-GPL-compatible
li
On Thu, Feb 7, 2013 at 3:06 PM, Justin Cappos wrote:
> We'd like to integrate TUF ( https://www.updateframework.com/ ) into PyPI to
> help out if it makes sense. In theory the integration should be
> straightforward. It's basically just importing a few libraries in the
> client tools and askin
Il giorno 07/feb/2013, alle ore 23:26, Nick Coghlan ha
scritto:
>
> On 8 Feb 2013 02:43, "Giovanni Bajo" wrote:
> >
> > Il giorno 07/feb/2013, alle ore 17:21, Donald Stufft
> > ha scritto:
> >
> >> On Thursday, February 7, 2013 at 10:50 AM, Giovanni Bajo wrote:
> >>
> >> 1. If we're going to
On 8 Feb 2013 02:43, "Giovanni Bajo" wrote:
>
> Il giorno 07/feb/2013, alle ore 17:21, Donald Stufft <
donald.stu...@gmail.com> ha scritto:
>
>> On Thursday, February 7, 2013 at 10:50 AM, Giovanni Bajo wrote:
>>
>> 1. If we're going to implicitly trust PyPI when it says that key X is
valid for pac
Really enjoyed the (extended version with more attacks / issues:
http://isis.poly.edu/~jcappos/papers/cappos_pmsec_tr08-02.pdf ) paper,
especially how trust delegation is handled by having the repository track
keys that are then used to delegate trust to individual developers, and how
revocation is
Il giorno 07/feb/2013, alle ore 17:21, Donald Stufft
ha scritto:
> On Thursday, February 7, 2013 at 10:50 AM, Giovanni Bajo wrote:
>
> 1. If we're going to implicitly trust PyPI when it says that key X is valid
> for package Y,
> do we really gain much here? If we're trusting PyPI then we
On Thursday, February 7, 2013 at 10:50 AM, Giovanni Bajo wrote:
1. If we're going to implicitly trust PyPI when it says that key X is valid for
package Y,
do we really gain much here? If we're trusting PyPI then we only really
need secure
ingress and egress neither of which need packagin
Il giorno 07/feb/2013, alle ore 16:38, "M.-A. Lemburg" ha
scritto:
> On 07.02.2013 16:04, Giovanni Bajo wrote:
>> Il giorno 07/feb/2013, alle ore 15:35, "M.-A. Lemburg" ha
>> scritto:
>>
>>> On 07.02.2013 15:13, Giovanni Bajo wrote:
Il giorno 07/feb/2013, alle ore 12:55, "M.-A. Lemburg"
Il giorno 07/feb/2013, alle ore 16:16, Jesse Noller ha
scritto:
>
>
> On Thursday, February 7, 2013 at 10:04 AM, Giovanni Bajo wrote:
>
>> Il giorno 07/feb/2013, alle ore 15:35, "M.-A. Lemburg" > (mailto:m...@egenix.com)> ha scritto:
>>
>>> On 07.02.2013 15:13, Giovanni Bajo wrote:
Il g
On 07.02.2013 16:04, Giovanni Bajo wrote:
> Il giorno 07/feb/2013, alle ore 15:35, "M.-A. Lemburg" ha
> scritto:
>
>> On 07.02.2013 15:13, Giovanni Bajo wrote:
>>> Il giorno 07/feb/2013, alle ore 12:55, "M.-A. Lemburg" ha
>>> scritto:
> Can you please describe an attack that can be mounted
On Thursday, February 7, 2013 at 10:04 AM, Giovanni Bajo wrote:
> Il giorno 07/feb/2013, alle ore 15:35, "M.-A. Lemburg" (mailto:m...@egenix.com)> ha scritto:
>
> > On 07.02.2013 15:13, Giovanni Bajo wrote:
> > > Il giorno 07/feb/2013, alle ore 12:55, "M.-A. Lemburg" > > (mailto:m...@egenix.c
Il giorno 07/feb/2013, alle ore 15:35, "M.-A. Lemburg" ha
scritto:
> On 07.02.2013 15:13, Giovanni Bajo wrote:
>> Il giorno 07/feb/2013, alle ore 12:55, "M.-A. Lemburg" ha
>> scritto:
Can you please describe an attack that can be mounted against PyPI/pip
that is prevented by having
+1 on listening to the computer science professor.
On Thu, Feb 7, 2013 at 9:06 AM, Justin Cappos wrote:
> There are a whole host of subtle problems that you can get into with
> security for package distribution.
>
> For some issues with handling metadata in the presence of a MITM that have
> be
On 07.02.2013 15:13, Giovanni Bajo wrote:
> Il giorno 07/feb/2013, alle ore 12:55, "M.-A. Lemburg" ha
> scritto:
>>> Can you please describe an attack that can be mounted against PyPI/pip that
>>> is prevented by having this additional signature?
>>
>> This is not about preventing some kind of a
Il giorno 07/feb/2013, alle ore 12:55, "M.-A. Lemburg" ha
scritto:
> On 07.02.2013 12:49, Giovanni Bajo wrote:
>> Il giorno 07/feb/2013, alle ore 11:59, "M.-A. Lemburg" ha
>> scritto:
>>
>>> Sorry, if this has already been mentioned, but we could make GPG
>>> signing very user friendly for th
There are a whole host of subtle problems that you can get into with
security for package distribution.
For some issues with handling metadata in the presence of a MITM that have
been fixed in most of the popular Linux package managers:
http://isis.poly.edu/~jcappos/papers/cappos_mirror_ccs_08.pdf
On Thursday, February 7, 2013 at 5:32 AM, Jesse Noller wrote:
> That tutorial would have to be amazingly easy, and GPG could never be a hard
> requirement. GPG is still annoying, clunky and painful enough that it would
> just become a nuisance and people would move elsewhere.
>
> So adding suppo
On 07.02.2013 12:49, Giovanni Bajo wrote:
> Il giorno 07/feb/2013, alle ore 11:59, "M.-A. Lemburg" ha
> scritto:
>
>> Sorry, if this has already been mentioned, but we could make GPG
>> signing very user friendly for the PyPI users by:
>>
>> - having the PyPI server verify the uploaded file agai
Il giorno 07/feb/2013, alle ore 11:58, Jesse Noller ha
scritto:
>
>
> On Feb 7, 2013, at 5:45 AM, Giovanni Bajo wrote:
>
>> Il giorno 07/feb/2013, alle ore 11:32, Jesse Noller ha
>> scritto:
>>
>>>
>>>
>>> On Feb 7, 2013, at 5:25 AM, Giovanni Bajo wrote:
>>>
Il giorno 07/feb/2013
Il giorno 07/feb/2013, alle ore 11:59, "M.-A. Lemburg" ha
scritto:
> Sorry, if this has already been mentioned, but we could make GPG
> signing very user friendly for the PyPI users by:
>
> - having the PyPI server verify the uploaded file against the
> registered GPG key of the uploader
>
>
On Wed, Feb 6, 2013 at 9:57 PM, Zygmunt Krynicki
wrote:
>> Right, but then we are again back to trusting a central authority,
>> in this case plone.org. If we can trust plone.org, why can't we
>> trust Python.org?
>
> Because presumably plone foundation looks at the dependency list and
> cares. No
On Thu, Feb 7, 2013 at 11:32 AM, Jesse Noller wrote:
> That tutorial would have to be amazingly easy, and GPG could never be a hard
> requirement. GPG is still annoying, clunky and painful enough that it would
> just become a nuisance and people would move elsewhere.
*Using* gpg should not be a r
On 7 Feb, 2013, at 11:58, Jesse Noller wrote:
>
>
> Not really - I know that if we're going to do crypto, the first rule of
> crypto is "don't make your own crypto" - I've just worked with pgp/openpgp
> enough to realize its usability is astoundingly atrocious.
>
But not so bad that it can't
Sorry, if this has already been mentioned, but we could make GPG
signing very user friendly for the PyPI users by:
- having the PyPI server verify the uploaded file against the
registered GPG key of the uploader
- have the PyPI server sign the uploaded file using its own
key (so you have two
On Feb 7, 2013, at 5:45 AM, Giovanni Bajo wrote:
> Il giorno 07/feb/2013, alle ore 11:32, Jesse Noller ha
> scritto:
>
>>
>>
>> On Feb 7, 2013, at 5:25 AM, Giovanni Bajo wrote:
>>
>>> Il giorno 07/feb/2013, alle ore 11:08, Ronald Oussoren
>>> ha scritto:
>>>
On 6 Feb, 2013,
On 7 Feb, 2013, at 11:51, Giovanni Bajo wrote:
>
>>
>>>
What I haven't seen (or have overlooked) in the entire discussion is what
we're trying to protect against. The thread kicked of due to a report of
how to perform MITM attacks against PyPI, but it seems that some of the
Il giorno 07/feb/2013, alle ore 11:45, Ronald Oussoren
ha scritto:
>
> On 7 Feb, 2013, at 11:25, Giovanni Bajo wrote:
>
>> Il giorno 07/feb/2013, alle ore 11:08, Ronald Oussoren
>> ha scritto:
>>
>>>
>>> On 6 Feb, 2013, at 22:15, Daniel Holth wrote:
>>>
On Wed, Feb 6, 2013 at 4:05
Il giorno 07/feb/2013, alle ore 11:32, Jesse Noller ha
scritto:
>
>
> On Feb 7, 2013, at 5:25 AM, Giovanni Bajo wrote:
>
>> Il giorno 07/feb/2013, alle ore 11:08, Ronald Oussoren
>> ha scritto:
>>
>>>
>>> On 6 Feb, 2013, at 22:15, Daniel Holth wrote:
>>>
On Wed, Feb 6, 2013 at 4:0
On 7 Feb, 2013, at 11:25, Giovanni Bajo wrote:
> Il giorno 07/feb/2013, alle ore 11:08, Ronald Oussoren
> ha scritto:
>
>>
>> On 6 Feb, 2013, at 22:15, Daniel Holth wrote:
>>
>>> On Wed, Feb 6, 2013 at 4:05 PM, Jesse Noller wrote:
>>>
>>>
>>> On Wednesday, February 6, 2013 at 4:02 PM, D
On Feb 7, 2013, at 5:25 AM, Giovanni Bajo wrote:
> Il giorno 07/feb/2013, alle ore 11:08, Ronald Oussoren
> ha scritto:
>
>>
>> On 6 Feb, 2013, at 22:15, Daniel Holth wrote:
>>
>>> On Wed, Feb 6, 2013 at 4:05 PM, Jesse Noller wrote:
On Wednesday, February 6, 2013 at 4:02
Il giorno 07/feb/2013, alle ore 11:08, Ronald Oussoren
ha scritto:
>
> On 6 Feb, 2013, at 22:15, Daniel Holth wrote:
>
>> On Wed, Feb 6, 2013 at 4:05 PM, Jesse Noller wrote:
>>
>>
>> On Wednesday, February 6, 2013 at 4:02 PM, Donald Stufft wrote:
>>
>> > On Wednesday, February 6, 2013 at
On 6 Feb, 2013, at 22:15, Daniel Holth wrote:
> On Wed, Feb 6, 2013 at 4:05 PM, Jesse Noller wrote:
>
>
> On Wednesday, February 6, 2013 at 4:02 PM, Donald Stufft wrote:
>
> > On Wednesday, February 6, 2013 at 4:01 PM, Vinay Sajip wrote:
> > > M.-A. Lemburg egenix.com (http://egenix.com)> w
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Lennart Regebro wrote:
> On Wed, Feb 6, 2013 at 9:28 PM, Zygmunt Krynicki
> wrote:
>> I did not realize that a basic install of plone is composed of
>> 100+ packages. If all of those packages are maintained by a
>> coherent group (pardon my ignoran
Il giorno 06/feb/2013, alle ore 22:17, mar...@v.loewis.de ha scritto:
>> Right, but then we are again back to trusting a central authority, in
>> this case plone.org. If we can trust plone.org, why can't we trust
>> Python.org?
>
> Some people might be concerned that PyPI could have been hacked,
In this scheme Plone would publish all the public keys for all its
dependencies as tested. They already pin pretty much all their
dependencies. Each pinned version would have a key fingerprint added to
that line in the file.
Whether pgp or x509 or something else is used doesn't matter that much. T
Daniel Holth gmail.com> writes:
> That is why the original wheel signing design uses no GPG, a system that has
> proven to be unused in practice.
It's not like there's some other PKI system which is so much easier to use that
it's a no-brainer, such that it has widespread adoption with the type
On Wed, Feb 6, 2013 at 4:05 PM, Jesse Noller wrote:
>
>
> On Wednesday, February 6, 2013 at 4:02 PM, Donald Stufft wrote:
>
> > On Wednesday, February 6, 2013 at 4:01 PM, Vinay Sajip wrote:
> > > M.-A. Lemburg egenix.com (http://egenix.com)> writes:
> > >
> > > > Try gnupg-w32cli which is really
On 06.02.2013 22:05, Jesse Noller wrote:
>
>
> On Wednesday, February 6, 2013 at 4:02 PM, Donald Stufft wrote:
>
>> On Wednesday, February 6, 2013 at 4:01 PM, Vinay Sajip wrote:
>>> M.-A. Lemburg egenix.com (http://egenix.com)> writes:
>>>
Try gnupg-w32cli which is really easy to install a
On Wednesday, February 6, 2013 at 4:02 PM, Donald Stufft wrote:
> On Wednesday, February 6, 2013 at 4:01 PM, Vinay Sajip wrote:
> > M.-A. Lemburg egenix.com (http://egenix.com)> writes:
> >
> > > Try gnupg-w32cli which is really easy to install and doesn't
> > > get in your way:
> > >
> > > h
On Wednesday, February 6, 2013 at 4:01 PM, Vinay Sajip wrote:
> M.-A. Lemburg egenix.com (http://egenix.com)> writes:
>
> > Try gnupg-w32cli which is really easy to install and doesn't
> > get in your way:
> >
> > http://lists.gnupg.org/pipermail/gnupg-announce/2012q1/000313.html
>
> Or, to fas
M.-A. Lemburg egenix.com> writes:
> Try gnupg-w32cli which is really easy to install and doesn't
> get in your way:
>
> http://lists.gnupg.org/pipermail/gnupg-announce/2012q1/000313.html
>
Or, to fast-track to the binaries, look in here:
ftp://ftp.gnupg.org/gcrypt/binary/
As MAL says, instal
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
W dniu 06.02.2013 21:55, Lennart Regebro pisze:
> On Wed, Feb 6, 2013 at 9:50 PM, wrote:
>> There is surely an obvious delegation of trust happening here. If
>> plone has 100 dependencies, it is really the authors of plone
>> itself which declared th
On Wed, Feb 6, 2013 at 9:50 PM, wrote:
> There is surely an obvious delegation of trust happening here. If plone
> has 100 dependencies, it is really the authors of plone itself which
> declared that they trust these packages; the end user in turn trusts the
> plone developers (both in their own
> From: Donald Stufft
>
>Yea I'm actually aware of that, However it requires installing GPG like
>you said which is pretty unfriendly in general on Windows, and adds
>another barrier to release.
Agreed, but the problem isn't especially technical, it's related to licensing.
To get gpg to run
Zitat von Lennart Regebro :
It is, for Plone, a several hundred times operation. This is not a
feasible path.
There is surely an obvious delegation of trust happening here. If plone
has 100 dependencies, it is really the authors of plone itself which
declared that they trust these packages; t
On 06.02.2013 21:33, Donald Stufft wrote:
> On Wednesday, February 6, 2013 at 3:31 PM, Vinay Sajip wrote:
>> Donald Stufft gmail.com (http://gmail.com)> writes:
>>
>>> * Do we have bindings to GPG that we can use?
>>
>> There's python-gnupg [1][2] which I maintain. I test it on Linux, Mac OS X
>>
On Wed, Feb 6, 2013 at 9:38 PM, Zygmunt Krynicki
wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> W dniu 06.02.2013 19:05, Giovanni Bajo pisze:
>> Most users will just tap "yes" to get on with their task and ignore
>> this prompt.
>
> I have no solution to that.
That is the problem we
On Wed, Feb 6, 2013 at 9:28 PM, Zygmunt Krynicki
wrote:
> I did not realize that a basic install of plone is composed of 100+
> packages. If all of those packages are maintained by a coherent group
> (pardon my ignorance of plone here) then perhaps that use case could
> be managed by allowing the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
W dniu 06.02.2013 19:05, Giovanni Bajo pisze:
> Il giorno 06/feb/2013, alle ore 18:20, Zygmunt Krynicki
> ha scritto:
Meta note: I suspect we've covered enough ground here to focus on some
proof-of-concept implementation. Just talking will not help
On Wednesday, February 6, 2013 at 3:31 PM, Vinay Sajip wrote:
> Donald Stufft gmail.com (http://gmail.com)> writes:
>
> > * Do we have bindings to GPG that we can use?
>
> There's python-gnupg [1][2] which I maintain. I test it on Linux, Mac OS X and
> Windows. It relies on an already installed
Donald Stufft gmail.com> writes:
> * Do we have bindings to GPG that we can use?
There's python-gnupg [1][2] which I maintain. I test it on Linux, Mac OS X and
Windows. It relies on an already installed GnuPG executable being available, and
works through the subprocess module to talk to it. It c
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
W dniu 06.02.2013 21:08, Lennart Regebro pisze:
> On Wed, Feb 6, 2013 at 8:51 PM, Zygmunt Krynicki
> wrote:
>> That is a one time operation.
>
> It is, for Plone, a several hundred times operation. This is not a
> feasible path.
I did not realize
On Wed, Feb 6, 2013 at 8:51 PM, Zygmunt Krynicki
wrote:
> That is a one time operation.
It is, for Plone, a several hundred times operation. This is not a
feasible path.
> Sorry, you are right. My example assumed you were familiar with what
> I'm doing with distrust (https://github.com/zyga/dist
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
W dniu 06.02.2013 20:00, Lennart Regebro pisze:
> On Wed, Feb 6, 2013 at 6:20 PM, Zygmunt Krynicki
> wrote:
>> You would first download django (either signed or not) and get
>> prompted if you want to trust the signer for that project (or if
>> the
On a general note:
Trust in keys is a hard problem which people have tried to solve for
20-30 years now. We are not going to solve it here and now.
The only path forward when it comes to keys and signatures is that we
ask people to trust a central key source. This is not a perfect
solution, but t
On Wed, Feb 6, 2013 at 6:20 PM, Zygmunt Krynicki
wrote:
> You would first download django (either signed or not) and get
> prompted if you want to trust the signer for that project (or if the
> file was not signed, to trust this particular file for django in the
> future).
Getting a lot of questi
Il giorno 06/feb/2013, alle ore 18:20, Zygmunt Krynicki
ha scritto:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> W dniu 06.02.2013 16:24, Giovanni Bajo pisze:
>
>>> I agree that pypi "should" be the good guy we can trust. I argue
>>> that none of the things offered in this thread can
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
W dniu 06.02.2013 16:24, Giovanni Bajo pisze:
>> I agree that pypi "should" be the good guy we can trust. I argue
>> that none of the things offered in this thread can achieve that.
>>
>> There is a deeper problem here, apart from the current "OMG
>>
Il giorno 06/feb/2013, alle ore 15:59, Zygmunt Krynicki
ha scritto:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> W dniu 06.02.2013 15:38, Giovanni Bajo pisze:
>> Il giorno 06/feb/2013, alle ore 14:41, Zygmunt Krynicki
>> ha scritto:
>>
>>> W dniu 06.02.2013 11:57, Christian Heimes pi
Il giorno 06/feb/2013, alle ore 15:56, Lennart Regebro ha
scritto:
> On Wed, Feb 6, 2013 at 3:38 PM, Giovanni Bajo wrote:
>> That's OK, we can make sure in the design that you will be able to do it.
>
> A setting in pip to choose the key repository should do it, right?
> Supporting a local dir
On Wed, Feb 6, 2013 at 3:38 PM, Giovanni Bajo wrote:
> That's OK, we can make sure in the design that you will be able to do it.
A setting in pip to choose the key repository should do it, right?
Supporting a local directory perhaps?
And of course defaulting to PyPI.
//Lennart
__
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
W dniu 06.02.2013 15:38, Giovanni Bajo pisze:
> Il giorno 06/feb/2013, alle ore 14:41, Zygmunt Krynicki
> ha scritto:
>
>> W dniu 06.02.2013 11:57, Christian Heimes pisze:
>>> Am 05.02.2013 22:28, schrieb Zygmunt Krynicki:
>>
I agree. I think t
Il giorno 06/feb/2013, alle ore 14:41, Zygmunt Krynicki
ha scritto:
> W dniu 06.02.2013 11:57, Christian Heimes pisze:
>> Am 05.02.2013 22:28, schrieb Zygmunt Krynicki:
>
>>> I agree. I think that pypi should not have to be trusted. Real
>>> people trust other (few, limited) real people. We do
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
W dniu 06.02.2013 11:57, Christian Heimes pisze:
> Am 05.02.2013 22:28, schrieb Zygmunt Krynicki:
>>> * If we are trusting the fingerprint someone is sending us we
>>> can trust the public key they are sending us, * Adds an extra
>>> step to go from
Am 05.02.2013 22:13, schrieb Giovanni Bajo:
> The theoretical attack I can think of is that an attack that has stolen the
> user's credential, could re-upload a previous version of a package that has
> been removed/deprecated. I think that PyPI already mandates monotonic version
> number increas
On Wed, Feb 6, 2013 at 12:03 PM, Christian Heimes wrote:
> Am 05.02.2013 23:41, schrieb Lennart Regebro:
>> On Tue, Feb 5, 2013 at 10:13 PM, Giovanni Bajo wrote:
- An uploader must be able to revoke her keys from PyPI without
access to her private key.
>>>
>>> This is already implement
Am 05.02.2013 23:41, schrieb Lennart Regebro:
> On Tue, Feb 5, 2013 at 10:13 PM, Giovanni Bajo wrote:
>>> - An uploader must be able to revoke her keys from PyPI without
>>> access to her private key.
>>
>> This is already implemented, an user can modify her listed GPG fingerprint.
>> This is no
Il giorno 05/feb/2013, alle ore 22:28, Zygmunt Krynicki
ha scritto:
>> * What is the expected end user reaction if someone revokes their
>> key from PyPI? In other words if I've established a trust with key
>> A, and the maintainer revokes that what happens when I try to
>> install their package
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Am 05.02.2013 22:28, schrieb Zygmunt Krynicki:
>> * If we are trusting the fingerprint someone is sending us we
>> can trust the public key they are sending us, * Adds an extra
>> step to go from zero to releasing * Expecting the user to decrypt
>> t
Il giorno 05/feb/2013, alle ore 23:41, Lennart Regebro ha
scritto:
> On Tue, Feb 5, 2013 at 10:13 PM, Giovanni Bajo wrote:
>>> - An uploader must be able to revoke her keys from PyPI without
>>> access to her private key.
>>
>> This is already implemented, an user can modify her listed GPG fin
On Tue, Feb 5, 2013 at 10:13 PM, Giovanni Bajo wrote:
>> - An uploader must be able to revoke her keys from PyPI without
>> access to her private key.
>
> This is already implemented, an user can modify her listed GPG fingerprint.
> This is not different from, eg:, the page that allows a github
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
W dniu 05.02.2013 21:23, Donald Stufft pisze:
> * Do we have bindings to GPG that we can use?
There are some gpg bindings but my visibility is limited to Linux
world. GPG wrappers that talk to it using standardized input/output
format exist if you go
Am 05.02.2013 21:23, schrieb Donald Stufft:
> * Do we have bindings to GPG that we can use?
> * If not are we going to depend on users to install GPG?
> * GPG installation can be tricky, especially for someone new to
> programming.
Linux and BSD come with GPG installed or eas
Il giorno 05/feb/2013, alle ore 20:21, Christian Heimes
ha scritto:
> Hello,
>
> I like to discuss my proposal for a package signing and verification
> process. It's just a brief draft and not a final document. (Credits to
> my friend Marcus Brinkmann for additional insights).
>
>
> Package m
On Tuesday, February 5, 2013 at 2:21 PM, Christian Heimes wrote:
> Hello,
>
> I like to discuss my proposal for a package signing and verification
> process. It's just a brief draft and not a final document. (Credits to
> my friend Marcus Brinkmann for additional insights).
>
>
> Package maintai
On Tuesday, February 5, 2013 at 2:34 PM, Daniel Holth wrote:
> There is a well-engineered framework out there already:
> https://www.updateframework.com/wiki/SecuringPythonPackageManagement
>
To my knowledge this depends on PyPI remaining uncompromised.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
W dniu 05.02.2013 20:21, Christian Heimes pisze:
> User installs package -
>
> process: - retrieves the package and the combined signature
> file (PyPI's signature, metadata file and embedded signature of the
> uploader) - option
On Tue, Feb 5, 2013 at 2:21 PM, Christian Heimes wrote:
> Hello,
>
> I like to discuss my proposal for a package signing and verification
> process. It's just a brief draft and not a final document. (Credits to
> my friend Marcus Brinkmann for additional insights).
>
>
> Package maintainer registe
Hello,
I like to discuss my proposal for a package signing and verification
process. It's just a brief draft and not a final document. (Credits to
my friend Marcus Brinkmann for additional insights).
Package maintainer registers PGP key
Package owners and ma
79 matches
Mail list logo
