> On Mar 13, 2017, at 9:23 PM, Nick Coghlan <ncogh...@gmail.com> wrote: > > On 14 March 2017 at 03:46, Steve Dower <steve.do...@python.org > <mailto:steve.do...@python.org>> wrote: > Another drive-by contribution: what if twine printed the hashes for anything > it uploads with a message basically saying "here are the things you should > publish somewhere for this release so people can check the validity of your > packages after they download them"? > > I suspect many publishers have never considered this is something they could > or should do. Some very basic prompting could easily lead to it becoming part > of the normal workflow. > > Huh, and with most PyPI publishers using public version control systems, > their source control repo itself could even serve as "a trusted channel that > they control and the PyPI service can't influence". For example, the artifact > hashes could be written out by default to: > > .released_artifacts/<version>/<artifact_name>.sha256 > > And if twine sees the hash file exists before it starts the upload, it could > complain that the given artifact had already been published even before PyPI > complains about it.
1. This sounds like it could be very cool. 2. Except, as stated - i.e. hashes without signatures - this just means we all trust Github rather than PyPI :). 3. A simple signing scheme, like https://minilock.io but for plaintext signatures rather than encryption <https://github.com/kaepora/miniLock/issues/198>, could potentially address this problem. 4. Cool as that would be, someone would need to design that thing first, and that person would need to be a cryptographer. 5. Now all you need to do is design a globally addressable PKI system. Good luck everybody ;-). -glyph
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
