[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: GnuPG signatures on PyPI: why so few?

Donald Stufft <donald@stufft.io> writes:

> https://mail.python.org/pipermail/distutils-sig/2016-May/028933.html <https://mail.python.org/pipermail/distutils-sig/2016-May/028933.html>

  "I am aware of a single tool anywhere that actively supports verifying the
  signatures that people upload to PyPI, and that is Debian's uscan program. Even
  in that case the people writing the Debian watch file have to hardcode in a
  signing key into it and in my experience, when faced with a validation error
  it's not unusual for Debian to simply disable signature checking for that
  project and/or just blindly update the key to whatever the new key is."

I would never just blindly disable signature checking or update the key
without carefully checking that this is legitimate first (and/or
carefully checking the diff). For example, if releases were signed by
person A, but now signed by person B, there should be some sort of
public record of this fact. If not, ask on a public forum.

If you remove signatures (or don't supply them in the first place), then
we - as Debian packagers - have no way of validating the upload. So you
only need to compromise the package the maintainer downloads, and
subsequently everyone who uses the (signed) Debian packaging is
affected.

If however PyPI were to remove signatures, this would make the decision
whether to use PyPI or github as the source somewhat easier.
-- 
Brian May <bam@debian.org>
Reply to: