I believe we should remove the /serverkey and /serversig/* API's from PyPI.
* I am not aware of *any* implementation that actually verifies packages against this API * In the light of PEP449 users now make a very conscious choice of which mirror they are using, which means they are no longer downloading random things from indiscriminate mirrors. * It uses DSA, which is a cryptographic primitive where if you reuse the random number or *any* bias in your random number you completely leak the private key. Given the nature of PyPI it's completely possible for a malicious user to essentially create an unbounded number of signatures making it more likely that a random nonce will be reused. * Moving forward something like TUF is a much better answer to the problems this attempts to solve as well as other problems. So it's basically unused with questionable primitives and better solutions exist. Does anyone have any objections to this being removed? ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig