Re: [Python-Dev] Signed packages
Am 23.06.12 14:03, schrieb mar...@v.loewis.de: I'm surprised gpg hasn't been mentioned here. I think these are all solved problems, most free software that is signed signs it with the gpg key of the author. In that case all that is needed is that the cheeseshop allows the uploading of the signature. For the record, the cheeseshop has been supporting pgp signatures for about ten years now. Several projects have been using that for quite a while in their releases. Also for the record, it’s broken as of Python 3.2. See http://bugs.python.org/issue10571 ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Signed packages
Zitat von Hynek Schlawack h...@ox.cx: Am 23.06.12 14:03, schrieb mar...@v.loewis.de: I'm surprised gpg hasn't been mentioned here. I think these are all solved problems, most free software that is signed signs it with the gpg key of the author. In that case all that is needed is that the cheeseshop allows the uploading of the signature. For the record, the cheeseshop has been supporting pgp signatures for about ten years now. Several projects have been using that for quite a while in their releases. Also for the record, it?s broken as of Python 3.2. See http://bugs.python.org/issue10571 That's different, though: PyPI continues to support it just fine. It's only distutils which has it broken. If you manually run gpg, and manually upload through the web interface, it still works. Regards, Martin ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Signed packages
On 22 June 2012 17:56, Donald Stufft donald.stu...@gmail.com wrote: On Friday, June 22, 2012 at 12:54 PM, Alexandre Zani wrote: Key distribution is the real issue though. If there isn't a key distribution infrastructure in place, we might as well not bother with signatures. PyPI could issue x509 certs to packagers. You wouldn't be able to verify that the name given is accurate, but you would be able to verify that all packages with the same listed author are actually by that author. I've been sketching out ideas for key distribution, but it's very much a chicken and egg problem, very few people sign their packages (because nothing uses it currently), and nobody is motivated to work on infrastructure or tooling because no one signs their packages. I'm surprised gpg hasn't been mentioned here. I think these are all solved problems, most free software that is signed signs it with the gpg key of the author. In that case all that is needed is that the cheeseshop allows the uploading of the signature. As for key distribution, the keyservers take care of that just fine and we'd probably see more and better attended signing parties at python conferences. Regards, Floris ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Signed packages
Oh sorry, having read the thread this spawned from I see you're taking about MS Windows singed binaries. Something I know next to nothing about, so ignore my babbling. On 23 June 2012 11:52, Floris Bruynooghe f...@devork.be wrote: On 22 June 2012 17:56, Donald Stufft donald.stu...@gmail.com wrote: On Friday, June 22, 2012 at 12:54 PM, Alexandre Zani wrote: Key distribution is the real issue though. If there isn't a key distribution infrastructure in place, we might as well not bother with signatures. PyPI could issue x509 certs to packagers. You wouldn't be able to verify that the name given is accurate, but you would be able to verify that all packages with the same listed author are actually by that author. I've been sketching out ideas for key distribution, but it's very much a chicken and egg problem, very few people sign their packages (because nothing uses it currently), and nobody is motivated to work on infrastructure or tooling because no one signs their packages. I'm surprised gpg hasn't been mentioned here. I think these are all solved problems, most free software that is signed signs it with the gpg key of the author. In that case all that is needed is that the cheeseshop allows the uploading of the signature. As for key distribution, the keyservers take care of that just fine and we'd probably see more and better attended signing parties at python conferences. Regards, Floris -- Debian GNU/Linux -- The Power of Freedom www.debian.org | www.gnu.org | www.kernel.org ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Signed packages
I'm surprised gpg hasn't been mentioned here. I think these are all solved problems, most free software that is signed signs it with the gpg key of the author. In that case all that is needed is that the cheeseshop allows the uploading of the signature. For the record, the cheeseshop has been supporting pgp signatures for about ten years now. Several projects have been using that for quite a while in their releases. Regards, Martin ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Signed packages
Zitat von Antoine Pitrou solip...@pitrou.net: On Fri, 22 Jun 2012 12:27:19 +0100 Paul Moore p.f.mo...@gmail.com wrote: Signed binaries may be a solution. My experience with signed binaries has not been exactly positive, but it's an option. Presumably PyPI would be the trusted authority? Would PyPI and the downloaders need to use SSL? Would developers need to have signing keys to use PyPI? And more to the point, do the people designing the packaging solutions have experience with this sort of stuff (I sure don't :-))? The ones signing the binaries would have to be the packagers, not PyPI. It depends. PyPI already signs all binaries (essentially) as part of the mirror protocol. What this proves is that the mirror has not modified the data compared to the copy of PyPI. If PyPI can be trusted not to modify the binaries, then this also proves that the binaries are the same as originally uploaded. What this doesn't prove is that the upload was really made by the declared author of the package (which could be prevented by signing the packages by the original author); it also doesn't prove that the binaries are free of malicous code (which no amount of signing can prove). PyPI-signing of packages would not achieve anything, since PyPI cannot vouch for the quality and non-maliciousness of uploaded files. That's just not true. It can prove that the files have not been modified by mirrors, caches, and the like, of which there are plenty in practice. It would only serve as a replacement for SSL downloads. See above. Also notice that such signing is already implemented, as part of PEP 381. Regards, Martin ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Signed packages
martin at v.loewis.de writes: See above. Also notice that such signing is already implemented, as part of PEP 381. BTW, I notice that the certificate for https://pypi.python.org/ expired a week ago ... Regards, Vinay Sajip ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Signed packages
Ideally authors will be signing their packages (using gpg keys). Of course how to distribute keys is an exercise left to the reader. On Friday, June 22, 2012 at 11:48 AM, Vinay Sajip wrote: martin at v.loewis.de (http://v.loewis.de) writes: See above. Also notice that such signing is already implemented, as part of PEP 381. BTW, I notice that the certificate for https://pypi.python.org/ expired a week ago ... Regards, Vinay Sajip ___ Python-Dev mailing list Python-Dev@python.org (mailto:Python-Dev@python.org) http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/donald.stufft%40gmail.com ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Signed packages
On Friday, June 22, 2012 at 12:54 PM, Alexandre Zani wrote: Key distribution is the real issue though. If there isn't a key distribution infrastructure in place, we might as well not bother with signatures. PyPI could issue x509 certs to packagers. You wouldn't be able to verify that the name given is accurate, but you would be able to verify that all packages with the same listed author are actually by that author. I've been sketching out ideas for key distribution, but it's very much a chicken and egg problem, very few people sign their packages (because nothing uses it currently), and nobody is motivated to work on infrastructure or tooling because no one signs their packages. ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Signed packages
Not at the moment, but I could gather them up and make them public later today. They are very rough draft at the moment. On Friday, June 22, 2012 at 1:09 PM, Alexandre Zani wrote: On Fri, Jun 22, 2012 at 9:56 AM, Donald Stufft donald.stu...@gmail.com (mailto:donald.stu...@gmail.com) wrote: On Friday, June 22, 2012 at 12:54 PM, Alexandre Zani wrote: Key distribution is the real issue though. If there isn't a key distribution infrastructure in place, we might as well not bother with signatures. PyPI could issue x509 certs to packagers. You wouldn't be able to verify that the name given is accurate, but you would be able to verify that all packages with the same listed author are actually by that author. I've been sketching out ideas for key distribution, but it's very much a chicken and egg problem, very few people sign their packages (because nothing uses it currently), and nobody is motivated to work on infrastructure or tooling because no one signs their packages. Are those ideas available publicly? I would love to chip in. ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com