-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Am 05.02.2013 22:28, schrieb Zygmunt Krynicki: >> * If we are trusting the fingerprint someone is sending us we >> can trust the public key they are sending us, * Adds an extra >> step to go from zero to releasing * Expecting the user to decrypt >> the mail manually is kinda unfriendly > > It provides a guarantee that the user has access to the public and > private keys and completes the email cycle. Launchpad.net has the > same functionality built in.
Exactly! I modeled the workflow based on Launchpad's design. The extra cycle helps the user to verify her setup. This aids users that are new to GPG and signing, too. > I get the feeling that we either put a lot of trust in the central > authority (pypi) or we must conclude that peer-to-peer trust > without automatic update methods is the only way that prevents us > from some attacks. My design has the benefit of enabling both levels of trust at the same time: 1) An overtrustful user just has to trust PyPI's key. She checks PyPI's signature of the package metadata + maintainer's signature to verify that the maintainer was trusted by PyPI at the moment of the upload. After that she verifies the uploader's signature of the file WITHOUT verifying the uploader's key. The user doesn't trust the uploader's key explicitly but rather trusts PyPI's simple key check. 2) A more paranoid user also needs to establish full trust of the uploader's key (import and sign the key). > I agree. I think that pypi should not have to be trusted. Real > people trust other (few, limited) real people. We don't normally > trust large bodies (corporations, groups) as that trust cannot be > effective. No, you have to trust PyPI on some degree. PyPI is *the* authority of the relationship between users and projects. PyPI is the only entity in process that can truly verify that a key holder was a project maintainer at some given point in the past. If you don't trust PyPI then you have to create and maintain your own mapping of key fingerprints to projects. Christian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQIcBAEBCAAGBQJREjccAAoJEMeIxMHUVQ1FoKMP/30NW1Kc85ojv/SUfwzGNY7M EQRlbY7MS98kaCio+o5Od2TEMSzjQtfdwZDhPVqsYZ6HEp17mkpruSjUHqFzPwPi ru6+JP+Y7V7W5po6UB4ofCHix98IRoXNAPCoJtIxsjKqoLG26+5p/6Xx4UMWRhPj Cc0ej4LuYVECpBYubE8PB0RVY/t35MN8nRUOs5DZ2W91xX73MBzV3/cmcW3faqUM 0cQO0Ag0EiVlw3RrY0nBPMKaaIRyGjQmC9sdG6ri4iLI8ONhzMYhyV1TPvkI8G2Q QAUy2RYXqZkzdH5UEQEr7nvhtsYhXVpEs/gL6r/t9Bj6Ck33NzU5aEXURKjCKTy3 +h4ox5bzqbPH+7AU7hbPiuG57GOJiZ2RlnLn1lOyK804FZPM1R68yVvDGJc1nU9S nPGfM6RhP3B7tGrrR3kRKUQXEPVsAF0Z+/0w5xXuDR6ftuD6ni/cUx4Fgw491IF+ 4ruVkYdK4yZu8pH0opbDcQix4z0ITGuJ8m2zA5E3iruenKwyRIDBhtWYZfiu3V4v 2s9FO3Gcb7WkdQL/nZKZLk6PBwbXWkOZGDq5VYKlJ+Mbr9vPHZ7jgbDWXD61W0ZK v65rLeS8LenINSbrmq3hPxW2ucZGJh3w/4mJMNZqgPsBvdhg0tvscLV/GNes9n+1 Bp0wDeG5vp/HvSLUmrTP =LUCN -----END PGP SIGNATURE----- _______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
