[Python-Dev] Signed packages (original) (raw)
Antoine Pitrou solipsis at pitrou.net
Fri Jun 22 16:19:10 CEST 2012
- Previous message: [Python-Dev] Status of packaging in 3.3
- Next message: [Python-Dev] Signed packages
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Fri, 22 Jun 2012 12:27:19 +0100 Paul Moore <p.f.moore at gmail.com> wrote:
Signed binaries may be a solution. My experience with signed binaries has not been exactly positive, but it's an option. Presumably PyPI would be the trusted authority? Would PyPI and the downloaders need to use SSL? Would developers need to have signing keys to use PyPI? And more to the point, do the people designing the packaging solutions have experience with this sort of stuff (I sure don't :-))?
The ones signing the binaries would have to be the packagers, not PyPI.
Also, if packages are signed, you arguably don't need to use SSL when downloading them (but SSL can still be useful for other purposes e.g. navigating in the catalog).
PyPI-signing of packages would not achieve anything, since PyPI cannot vouch for the quality and non-maliciousness of uploaded files. It would only serve as a replacement for SSL downloads.
Regards
Antoine.
- Previous message: [Python-Dev] Status of packaging in 3.3
- Next message: [Python-Dev] Signed packages
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]