On Tuesday, November 20, 2012 at 2:17 PM, M.-A. Lemburg wrote: > I wonder how systems like Debian or the various RPM-based ones > deal with the problem.
OS packages are a little different since they use one key to sign the entire repository. They tend to use a rolling key so that they can expire keys overtime without having to deal with forcing everyone to find out how to get a key over insecure means. If they needed to revoke a key there should be other keys that can sign the package, and if they needed to revoke all the keys then they'd need to start over for the original trust distribution. I'm not aware if they have any contingencies in place for "need to fix the entire trust database". Since there are fewer keys they can also make better assertions about how secure those keys are. Since every author has a key it's important to be able to revoke them because the chances of any one individual author needing to do so is larger than that of Debian. As a side note, this type of system also needs to know who is allowed to sign for what particular package names. This data must be communicated securely, and it must require authorization from the existing keys to confirm the additional (or allow the user to force it to override). This cannot simply be a flag in PyPI.
_______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
