Zitat von Antoine Pitrou <solip...@pitrou.net>:
On Fri, 22 Jun 2012 12:27:19 +0100
Paul Moore <p.f.mo...@gmail.com> wrote:
Signed binaries may be a solution. My experience with signed binaries
has not been exactly positive, but it's an option. Presumably PyPI
would be the trusted authority? Would PyPI and the downloaders need to
use SSL? Would developers need to have signing keys to use PyPI? And
more to the point, do the people designing the packaging solutions
have experience with this sort of stuff (I sure don't :-))?
The ones signing the binaries would have to be the packagers, not PyPI.
It depends. PyPI already signs all binaries (essentially) as part of the
mirror protocol. What this proves is that the mirror has not modified
the data compared to the copy of PyPI. If PyPI can be trusted not to modify
the binaries, then this also proves that the binaries are the same as
originally uploaded.
What this doesn't prove is that the upload was really made by the declared
author of the package (which could be prevented by signing the packages
by the original author); it also doesn't prove that the binaries are free
of malicous code (which no amount of signing can prove).
PyPI-signing of packages would not achieve anything, since PyPI cannot
vouch for the quality and non-maliciousness of uploaded files.
That's just not true. It can prove that the files have not been modified
by mirrors, caches, and the like, of which there are plenty in practice.
It would only serve as a replacement for SSL downloads.
See above. Also notice that such signing is already implemented, as part
of PEP 381.
Regards,
Martin
_______________________________________________
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe:
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
