Il giorno 07/feb/2013, alle ore 16:16, Jesse Noller <[email protected]> ha scritto:
> > > On Thursday, February 7, 2013 at 10:04 AM, Giovanni Bajo wrote: > >> Il giorno 07/feb/2013, alle ore 15:35, "M.-A. Lemburg" <[email protected] >> (mailto:[email protected])> ha scritto: >> >>> On 07.02.2013 15:13, Giovanni Bajo wrote: >>>> Il giorno 07/feb/2013, alle ore 12:55, "M.-A. Lemburg" <[email protected] >>>> (mailto:[email protected])> ha scritto: >>>>>> Can you please describe an attack that can be mounted against PyPI/pip >>>>>> that is prevented by having this additional signature? >>>>> >>>>> >>>>> >>>>> This is not about preventing some kind of attack. It's to simplify >>>>> the setup for the user of PyPI (via the package manager). >>>>> >>>>> The user will no longer have to install several tens or even >>>>> hundreds of different uploader GPG keys locally just to be able >>>>> to verify the downloads. Instead, just the PyPI key is needed. >>>>> >>>>> I think that's important to not disrupt the PyPI user experience. >>>>> >>>>> Additionally, as already mentioned by Lennart, all the GPG interaction >>>>> could be handled by the package managers. >>>> >>>> >>>> >>>> >>>> Yes, but *all* of the above requirements can be obtained by simply having >>>> PyPI tell pip "key ABCD1234 is authoritative for package django". pip can >>>> then tell GPG to go getting the key automatically from a first-party or >>>> third-party keyserver (eg: launchpad). >>>> >>>> I'm absolutely *not* suggesting the user to go downloading tons of GPG >>>> keys manually. >>> >>> I don't think anyone would want to have pip installing hundreds >>> of PyPI uploader GPG keys locally, even less so, if just one is >>> enough :-) >> >> >> >> OK so we need to both make happy Jesse that doesn't even want pip to run GPG >> under the hood without him even realizing that gpg exists and is being used >> as a crypto primitive, and you that want to keep a clean keychain that might >> become too cluttered by too many keys :) >> >> I'm sure Jesse doesn't care if the GPG keychain (which he doesn't even want >> to have) becomes too cluttered, because he doesn't even want to learn how to >> dump the keychain contents, or to install a GUI tool to inspect it. I think >> this will be the case for the large majority of users that simpy run >> "apt-get install gpg" once and then forget about it and go on with their >> normal pip work (with a fully transparent level of additional security). >> > It's less about keeping "me" happy: I'm fine with a model that if GPG exists, > it's used, silently (not linked against in any way though in core Python - > license incompatible). My concern is users needing to *use* and *understand* > how to use GPG/OpenPGP - to quote someone: > > "I'm really skeptical about the GPG parts of this. If "install GPG" is the > first step of uploading a package to PyPI, I think a ton of people will just > skip it. No matter how well-documented it is." > > There's some other discussion on the google doc some of us have been using to > triage the current situation with pypi (send me a google id, and I'll share > it) - I haven't had a chance to distill it into human form yet. [email protected] is a valid Google ID, thanks. FWIW, I'm writing a Google Doc that elaborates Heimes' proposal, I'll share it later. -- Giovanni Bajo :: [email protected] Develer S.r.l. :: http://www.develer.com My Blog: http://giovanni.bajo.it
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
