On 11 Feb 2013 03:54, "Donald Stufft" <[email protected]> wrote: > > On Sunday, February 10, 2013 at 12:53 PM, Giovanni Bajo wrote: >> >> Il giorno 10/feb/2013, alle ore 18:08, Antoine Pitrou < [email protected]> ha scritto: >> >>> >>> Hello, >>> >>> Vinay Sajip <vinay_sajip <at> yahoo.co.uk> writes: >>>> >>>> >>>> I've contacted the FSF about the licensing implications of including gpg with >>>> Python programs. This is primarily for Windows - Posix users are better off >>>> installing through their distro package manager or equivalent of the >>>> Homebrew/MacPorts type, if necessary. >>> >>> >>> You want to post this on python-dev, not catalog-sig. >>> >>> Also, before inquiring about legal matters, it should first be decided >>> whether it is desirable to ship our version of GnuPG, or not. >>> (unless there has already been a thread about this and I've missed it :-)) >> >> >> >> There is an open discussion whether to use TUF or GPG. If we go with GPG, then we wlll discuss what to do, given that: >> >> 1) for users, the problem is not on python-dev, but rather on the maintainers of package managers (pip, easy_install) that need to decide how to ship/install GPG to verify signatures. >> 2) for maintainers, I don't see a strong need to ship it with distutils within Python, as long as we have clear documentation on how to install it. But this is open for discussion of course. >> > I didn't see TUF mention anywhere what technology would be used to sign its > files. So it's possible to use GPG (or possibly another one?)
It specifically mentions PKCS#1, but the scheme seemed flexible enough to accommodate the use of GPG instead. There are more significant differences in the trust model between TUF and Giovanni's design, though. The generality of TUF makes it more complex in some regards, since it delegates trust for specific relative target paths within the repo, whereas Giovanni's model just delegates trust for distributions. However, TUF also already accounts for several additional attack vectors (like deliberately providing old versions). Cheers, Nick. > > > _______________________________________________ > Catalog-SIG mailing list > [email protected] > http://mail.python.org/mailman/listinfo/catalog-sig >
_______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
