On Tue, Jul 16, 2013 at 13:57 -0400, Donald Stufft wrote:
On Jul 16, 2013, at 5:19 AM, holger krekel hol...@merlinux.eu wrote:
I am considering implementing gpg-signing and verification of release files
for devpi. Rather than requiring package authors to sign their release
files, i am
holger krekel holger at merlinux.eu writes:
about existing schemes/efforts. I guess most Linux distros do it already
so if nothing comes up here PyPI-specific (what is the status of TUF, btw?)
i am going to look into the distro's working models.
ISTM it works for distros because they're the
On Wed, Jul 17, 2013 at 07:48 +, Vinay Sajip wrote:
holger krekel holger at merlinux.eu writes:
about existing schemes/efforts. I guess most Linux distros do it already
so if nothing comes up here PyPI-specific (what is the status of TUF, btw?)
i am going to look into the distro's
On 17 Jul 2013 18:17, holger krekel hol...@merlinux.eu wrote:
On Wed, Jul 17, 2013 at 07:48 +, Vinay Sajip wrote:
holger krekel holger at merlinux.eu writes:
about existing schemes/efforts. I guess most Linux distros do it
already
so if nothing comes up here PyPI-specific (what is
On 07/17/2013 04:50 PM, Nick Coghlan wrote:
On 17 Jul 2013 18:17, holger krekel hol...@merlinux.eu
mailto:hol...@merlinux.eu wrote:
On Wed, Jul 17, 2013 at 07:48 +, Vinay Sajip wrote:
holger krekel holger at merlinux.eu http://merlinux.eu writes:
about existing schemes/efforts.
On 17 Jul, 2013, at 19:17, Trishank Karthik Kuppusamy t...@students.poly.edu
wrote:
To very briefly summarize our status without going into tangential details:
1. We previously found and reported on this mailing list that if we naively
assigned a key to every PyPI project, then the
In my opinion it is a good idea to embed, not just the *name* of the package
that your package depends on, but also the public key or public keys that your
package requires the depended-upon package to be signed by.
There was a time when wheel did this, using Ed25519 keys (which are nice and
On Jul 17, 2013, at 3:58 PM, zooko zo...@zooko.com wrote:
In my opinion it is a good idea to embed, not just the *name* of the package
that your package depends on, but also the public key or public keys that your
package requires the depended-upon package to be signed by.
The problem with
Essentially, nothing changes from the user's standpoint or from the
standpoint of the package developer (except they sign their package).
The reason why we have multiple roles is to be robust against attacks in
case the main PyPI repo is hacked.
(Trishank can chime in with more complete /
Wheel provides a wheel keygen and wheel sign command and if you
set WHEEL_TOOL=/path/to/wheel then bdist_wheel will automatically sign
all the packages you create. Ideally wheel would sign every package,
reducing the problem from how do we force people to use PGP to how
do we derive value from
On 07/18/2013 03:24 AM, Ronald Oussoren wrote:
I'm trying to understand what this means for package maintainers. If I understand you
correctly maintainers would upload packages just like they do now, and packages are then
automaticly signed by the unstable role. Then some manual process by
I am considering implementing gpg-signing and verification of release files
for devpi. Rather than requiring package authors to sign their release
files, i am pondering a scheme where anyone can vet for a particular
published release file by publishing a signature about it. This aims
to help
On 16.07.2013, at 11:19, holger krekel hol...@merlinux.eu wrote:
Any thoughts or pointers to existing efforts within the (Python)
packaging ecologies?
Erik Rose just released peep the other day [1], which admittedly doesn't use
gpg but at least allows pip users to simplify the manual vetting
Am 16.07.2013 12:21, schrieb Jannis Leidel:
On 16.07.2013, at 11:19, holger krekel hol...@merlinux.eu wrote:
Any thoughts or pointers to existing efforts within the (Python)
packaging ecologies?
Erik Rose just released peep the other day [1], which admittedly doesn't use
gpg but at
On Tue, Jul 16, 2013 at 12:21 +0200, Jannis Leidel wrote:
On 16.07.2013, at 11:19, holger krekel hol...@merlinux.eu wrote:
Any thoughts or pointers to existing efforts within the (Python)
packaging ecologies?
Erik Rose just released peep the other day [1], which admittedly doesn't use
On Jul 16, 2013, at 5:19 AM, holger krekel hol...@merlinux.eu wrote:
I am considering implementing gpg-signing and verification of release files
for devpi. Rather than requiring package authors to sign their release
files, i am pondering a scheme where anyone can vet for a particular
16 matches
Mail list logo