On 28 July 2014 16:01, Giovanni Bajo <ra...@develer.com> wrote: > I thus solicit a second round of review of my proposal; if you want me to > upload to Google Docs for easier of commenting, I can do that as well. > I would love to get the PEP to its final form and then ask for a > pronouncement.
I have only scanned the initial part of the proposal thus far, but I have some comments. First of all, the proposal is well-written - I'm not a security expert and my eyes very rapidly glaze over when reading security documents. (I know what you mean about the TUF docs!) Your PEP was pretty easy for me to follow, so many thanks for that :-) Comments on the content: * I assume that installation of unsigned packages would not need GPG or any form of key download, and would work as now. That's crucial, and without that, the proposal is a non-starter (consider pip running in an environment not connected to the internet, installing local builds that don't need signing and haven't been). * I didn't look at how the signature metatata was supplied, but I assume it would only be served from full indexes and not from --find-links locations (relevant in the above scenario). * I am strongly against pip depending on an external GPG. Even though it may be a simple install, it may not be allowed in locked-down environments, and on virtual machines and testing services (like Travis or Appveyor) installing may be non-trivial or simply an annoying extra step. * Given that this leaves a pure-python GPG implementation, does one exist? Is it robust? I wouldn't want to rely on a low-quality implementation. * Also, would it be fast enough? Speed of building virtualenvs has always been something users care about (it was behind the development of wheels for example) and a key-checking step could slow down builds noticeably. * Other tools would need changing as well. There's distlib, and PyPI mirroring tools like devpi. * There will always need to be an option to install unsigned packages, even if it's only for local packages served up by a private index. Also, a couple of points that are more related to the general idea of "everything should be signed" - something that I don't disagree with but I do have opinions on, as someone who's never actually published anything on PyPI but probably will someday (I have an endless stream of "nearly ready" stuff...) and who fears that the expectations that maintainers are at least minimally organised might just exclude him ;-) * I didn't see a discussion of what happens if a maintainer loses his GPG key (not compromised, just lost - say he accidentally deleted his only copy). Would he have to generate a new one and re-sign everything? How would that affect users of his packages? * Also what about a maintainer working on a different PC where he doesn't have his key available? I guess the answer there may be "tough, you can't maintain your package without your key available". (How secure would services like SkyDrive and Dropbox be considered in that regard? I normally work between 2 PCs where the only reliable shared resource I have is SkyDrive). These aren't directly related to the specifics of the proposal itself, but might warrant a section addressing them... Paul _______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
