Re: [Python-Dev] Signed packages
Zitat von Hynek Schlawack : Am 23.06.12 14:03, schrieb mar...@v.loewis.de: I'm surprised gpg hasn't been mentioned here. I think these are all solved problems, most free software that is signed signs it with the gpg key of the author. In that case all that is needed is that the cheeseshop allows the uploading of the signature. For the record, the cheeseshop has been supporting pgp signatures for about ten years now. Several projects have been using that for quite a while in their releases. Also for the record, it?s broken as of Python 3.2. See http://bugs.python.org/issue10571 That's different, though: PyPI continues to support it just fine. It's only distutils which has it broken. If you manually run gpg, and manually upload through the web interface, it still works. Regards, Martin ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Signed packages
Am 23.06.12 14:03, schrieb mar...@v.loewis.de: >> I'm surprised gpg hasn't been mentioned here. I think these are all >> solved problems, most free software that is signed signs it with the >> gpg key of the author. In that case all that is needed is that the >> cheeseshop allows the uploading of the signature. > For the record, the cheeseshop has been supporting pgp signatures > for about ten years now. Several projects have been using that for > quite a while in their releases. Also for the record, it’s broken as of Python 3.2. See http://bugs.python.org/issue10571 ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Signed packages
I'm surprised gpg hasn't been mentioned here. I think these are all solved problems, most free software that is signed signs it with the gpg key of the author. In that case all that is needed is that the cheeseshop allows the uploading of the signature. For the record, the cheeseshop has been supporting pgp signatures for about ten years now. Several projects have been using that for quite a while in their releases. Regards, Martin ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Signed packages
Oh sorry, having read the thread this spawned from I see you're taking about MS Windows singed binaries. Something I know next to nothing about, so ignore my babbling. On 23 June 2012 11:52, Floris Bruynooghe wrote: > On 22 June 2012 17:56, Donald Stufft wrote: >> On Friday, June 22, 2012 at 12:54 PM, Alexandre Zani wrote: >> >> Key distribution is the real issue though. If there isn't a key >> distribution infrastructure in place, we might as well not bother with >> signatures. PyPI could issue x509 certs to packagers. You wouldn't be >> able to verify that the name given is accurate, but you would be able >> to verify that all packages with the same listed author are actually >> by that author. >> >> I've been sketching out ideas for key distribution, but it's very much >> a chicken and egg problem, very few people sign their packages (because >> nothing uses it currently), and nobody is motivated to work on >> infrastructure >> or tooling because no one signs their packages. > > > I'm surprised gpg hasn't been mentioned here. I think these are all > solved problems, most free software that is signed signs it with the > gpg key of the author. In that case all that is needed is that the > cheeseshop allows the uploading of the signature. As for key > distribution, the keyservers take care of that just fine and we'd > probably see more and better attended signing parties at python > conferences. > > Regards, > Floris -- Debian GNU/Linux -- The Power of Freedom www.debian.org | www.gnu.org | www.kernel.org ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Signed packages
On 22 June 2012 17:56, Donald Stufft wrote: > On Friday, June 22, 2012 at 12:54 PM, Alexandre Zani wrote: > > Key distribution is the real issue though. If there isn't a key > distribution infrastructure in place, we might as well not bother with > signatures. PyPI could issue x509 certs to packagers. You wouldn't be > able to verify that the name given is accurate, but you would be able > to verify that all packages with the same listed author are actually > by that author. > > I've been sketching out ideas for key distribution, but it's very much > a chicken and egg problem, very few people sign their packages (because > nothing uses it currently), and nobody is motivated to work on > infrastructure > or tooling because no one signs their packages. I'm surprised gpg hasn't been mentioned here. I think these are all solved problems, most free software that is signed signs it with the gpg key of the author. In that case all that is needed is that the cheeseshop allows the uploading of the signature. As for key distribution, the keyservers take care of that just fine and we'd probably see more and better attended signing parties at python conferences. Regards, Floris ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Signed packages
Not at the moment, but I could gather them up and make them public later today. They are very rough draft at the moment. On Friday, June 22, 2012 at 1:09 PM, Alexandre Zani wrote: > On Fri, Jun 22, 2012 at 9:56 AM, Donald Stufft (mailto:donald.stu...@gmail.com)> wrote: > > On Friday, June 22, 2012 at 12:54 PM, Alexandre Zani wrote: > > > > > > Key distribution is the real issue though. If there isn't a key > > distribution infrastructure in place, we might as well not bother with > > signatures. PyPI could issue x509 certs to packagers. You wouldn't be > > able to verify that the name given is accurate, but you would be able > > to verify that all packages with the same listed author are actually > > by that author. > > > > I've been sketching out ideas for key distribution, but it's very much > > a chicken and egg problem, very few people sign their packages (because > > nothing uses it currently), and nobody is motivated to work on > > infrastructure > > or tooling because no one signs their packages. > > > > > Are those ideas available publicly? I would love to chip in. ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Signed packages
On Fri, Jun 22, 2012 at 9:56 AM, Donald Stufft wrote: > On Friday, June 22, 2012 at 12:54 PM, Alexandre Zani wrote: > > > Key distribution is the real issue though. If there isn't a key > distribution infrastructure in place, we might as well not bother with > signatures. PyPI could issue x509 certs to packagers. You wouldn't be > able to verify that the name given is accurate, but you would be able > to verify that all packages with the same listed author are actually > by that author. > > I've been sketching out ideas for key distribution, but it's very much > a chicken and egg problem, very few people sign their packages (because > nothing uses it currently), and nobody is motivated to work on > infrastructure > or tooling because no one signs their packages. Are those ideas available publicly? I would love to chip in. ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Signed packages
On Friday, June 22, 2012 at 12:54 PM, Alexandre Zani wrote: > > Key distribution is the real issue though. If there isn't a key > distribution infrastructure in place, we might as well not bother with > signatures. PyPI could issue x509 certs to packagers. You wouldn't be > able to verify that the name given is accurate, but you would be able > to verify that all packages with the same listed author are actually > by that author. > > I've been sketching out ideas for key distribution, but it's very much a chicken and egg problem, very few people sign their packages (because nothing uses it currently), and nobody is motivated to work on infrastructure or tooling because no one signs their packages. ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Signed packages
On Fri, Jun 22, 2012 at 9:35 AM, Donald Stufft wrote: > Ideally authors will be signing their packages (using gpg keys). Of course > how to distribute keys is an exercise left to the reader. Key distribution is the real issue though. If there isn't a key distribution infrastructure in place, we might as well not bother with signatures. PyPI could issue x509 certs to packagers. You wouldn't be able to verify that the name given is accurate, but you would be able to verify that all packages with the same listed author are actually by that author. > > On Friday, June 22, 2012 at 11:48 AM, Vinay Sajip wrote: > > v.loewis.de> writes: > > > See above. Also notice that such signing is already implemented, as part > of PEP 381. > > > BTW, I notice that the certificate for https://pypi.python.org/ expired a > week > ago ... > > Regards, > > Vinay Sajip > > > ___ > Python-Dev mailing list > Python-Dev@python.org > http://mail.python.org/mailman/listinfo/python-dev > Unsubscribe: > http://mail.python.org/mailman/options/python-dev/donald.stufft%40gmail.com > > > > ___ > Python-Dev mailing list > Python-Dev@python.org > http://mail.python.org/mailman/listinfo/python-dev > Unsubscribe: > http://mail.python.org/mailman/options/python-dev/alexandre.zani%40gmail.com > ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Signed packages
Ideally authors will be signing their packages (using gpg keys). Of course how to distribute keys is an exercise left to the reader. On Friday, June 22, 2012 at 11:48 AM, Vinay Sajip wrote: > v.loewis.de (http://v.loewis.de)> writes: > > > > > See above. Also notice that such signing is already implemented, as part > > of PEP 381. > > > > > BTW, I notice that the certificate for https://pypi.python.org/ expired a week > ago ... > > Regards, > > Vinay Sajip > > > ___ > Python-Dev mailing list > Python-Dev@python.org (mailto:Python-Dev@python.org) > http://mail.python.org/mailman/listinfo/python-dev > Unsubscribe: > http://mail.python.org/mailman/options/python-dev/donald.stufft%40gmail.com > > ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Signed packages
v.loewis.de> writes: > > See above. Also notice that such signing is already implemented, as part > of PEP 381. > BTW, I notice that the certificate for https://pypi.python.org/ expired a week ago ... Regards, Vinay Sajip ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Signed packages
Zitat von Antoine Pitrou : On Fri, 22 Jun 2012 12:27:19 +0100 Paul Moore wrote: Signed binaries may be a solution. My experience with signed binaries has not been exactly positive, but it's an option. Presumably PyPI would be the trusted authority? Would PyPI and the downloaders need to use SSL? Would developers need to have signing keys to use PyPI? And more to the point, do the people designing the packaging solutions have experience with this sort of stuff (I sure don't :-))? The ones signing the binaries would have to be the packagers, not PyPI. It depends. PyPI already signs all binaries (essentially) as part of the mirror protocol. What this proves is that the mirror has not modified the data compared to the copy of PyPI. If PyPI can be trusted not to modify the binaries, then this also proves that the binaries are the same as originally uploaded. What this doesn't prove is that the upload was really made by the declared author of the package (which could be prevented by signing the packages by the original author); it also doesn't prove that the binaries are free of malicous code (which no amount of signing can prove). PyPI-signing of packages would not achieve anything, since PyPI cannot vouch for the quality and non-maliciousness of uploaded files. That's just not true. It can prove that the files have not been modified by mirrors, caches, and the like, of which there are plenty in practice. It would only serve as a replacement for SSL downloads. See above. Also notice that such signing is already implemented, as part of PEP 381. Regards, Martin ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
