+1 for transitive trust. At the base/simplest level, `pip` would trust any packages trusted by PyPI.
More advanced users / more security-oriented installation can add additional "required trusts". Maybe another special "PyPI Curator" pseudo-user. All packages whose signing key is trusted by PyPI *and* PyPI Curator can be deemed trustworthy. And if in a highly secure environment, probably internal curators. Which means that installation of packages will require three (or more) trusts: PyPI, PyPI Curator, [email protected], [email protected], etc. (The relationship need not be simple boolean AND, but can also be implemented as a score system. For examply, PyPI has weight 0.5, PyPI Curator has weight 1.0, internal company curators have weights 2.0 (> PyPI + PyPI Curator), and minimum acceptable score is 5.5, meaning that the package must be trusted by PyPI, PyPI Curator, and at least 2 internal company curators.) We can even create multiple levels of "PyPI Curator": * PyPI Trusted Authors -- automagically trust well-known 'authors' * PyPI Voted Trust -- packages voted by a committee (or by minimum N users) to be trustworthy * PyPI Audited Trust -- packages that had gone through a more thorough code audit / code review Rgds, -- FdS Pandu E Poluan ~ IT Optimizer ~ • LOPSA Member #15248 • Blog : http://pandu.poluan.info/blog/ • Linked-In : http://id.linkedin.com/in/pepoluan On Fri, Jun 2, 2017 at 9:33 AM, Matt Joyce <[email protected]> wrote: > I was more pushing for the transitive trust element than signing. That > being said, any signing at all would be progress. > > On Jun 1, 2017 9:07 PM, "Donald Stufft" <[email protected]> wrote: > > > On Jun 1, 2017, at 8:15 PM, Matt Joyce <[email protected]> wrote: > > Or start doing signed pgp for package maintainers and build a transitive > trust model. > > > > PGP is not useful for our use case except as a generic crypto primitive, > and there are better generic crypto primitives out there. See > https://caremad.io/posts/2013/07/packaging-signing-not-holy-grail/ > > > — > Donald Stufft > > > > > > _______________________________________________ > Distutils-SIG maillist - [email protected] > https://mail.python.org/mailman/listinfo/distutils-sig > >
_______________________________________________ Distutils-SIG maillist - [email protected] https://mail.python.org/mailman/listinfo/distutils-sig
