I cc:d catalog-sig, aiming to move the dicussion there. On Mon, Feb 4, 2013 at 11:40 AM, Christian Heimes <[email protected]> wrote: > * Package creator provides her public key somehow (a PKI is tricky and > hard to get right)
This breaks it. It can't be "somehow". For example, I'm currently working on a project I call "Hovercraft". It has four dependencies: Distribute/Setuptools, docutils, lxml and svg.path. I'm the author of svg.path, so including the Hovercraft package itself, that's five packages with four sources and four different public keys. If you need to go and find these public keys "somehow" before pip will download and install the packages, pip will become practically useless, as you for a practical use of it have to find hundreds of separate public keys. It will be come almost practically impossible to download and install packages securely. Since pip in such a situation would be useless we would have to allow pip to install packages without checking for signatures, which then will be how everybody will use it, making that whole security feature unused and useless. So that doesn't work. PyPI *has* to be made reliable in as much as we must be able to trust PyPI to either send us the correct file, or trust it to give us information that we can verify that it is the correct file, automatically. If it can't be made reliable then it has to be replaced. //Lennart _______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
