On Mar 20, 2013, at 12:31 PM, Nick Coghlan <[email protected]> wrote:
> On Wed, Mar 20, 2013 at 9:03 AM, Steve Dower <[email protected]> > wrote: >>> From: Nick Coghlan [mailto:[email protected]] >>> [snip] >>> >>> I was pointed to an interesting resource: >>> http://www.lfd.uci.edu/~gohlke/pythonlibs/ >>> >>> (The security issues with that arrangement are non-trivial, but the >>> convenience factor is huge) >> >> FWIW, one of the guys on our team has met with Christoph and considers him >> trustworthy. > > Thanks, that's great to know, and ties into an idea that I just had. > In addition to whether or not the build is trusted, there's also the > risk of MITM attacks against the download site (less so when automated > installers aren't involved, but still a risk). We just switched PyPI > over to HTTPS for that very reason. > > The idle thought I had was that it may be useful if PyPI users could > designate other users as "repackagers" for their project, and PyPI > offered an interface that was *just* file uploads for an existing > release. I *think* if done properly a TUF secured API can be setup so as that you can delegate the role for signing certain files is delegated, but I'm not sure. > > Then the pip developers, for example, could say "we trust Christoph to > make our Windows installers", and grant him repackager access so he > could upload the binaries for secure redistribution from PyPI rather > than needing to host them himself. > > We'd probably want something like this for an effective build farm > system anyway, this way it could work regardless of whether it was a > human or an automated system converting the released sdists to > platform specific binaries. > > Cheers, > Nick. > > -- > Nick Coghlan | [email protected] | Brisbane, Australia > _______________________________________________ > Distutils-SIG maillist - [email protected] > http://mail.python.org/mailman/listinfo/distutils-sig ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Distutils-SIG maillist - [email protected] http://mail.python.org/mailman/listinfo/distutils-sig
