Re: GnuPG signatures on PyPI: why so few?

To: debian-python@lists.debian.org
Subject: Re: GnuPG signatures on PyPI: why so few?
From: Hans-Christoph Steiner <hans@at.or.at>
Date: Mon, 13 Mar 2017 12:28:11 +0100
Message-id: <[🔎] d1cc7715-fc7c-9b6d-44a3-5f7a1494b18d@at.or.at>
In-reply-to: <[🔎] 103B2EC3-2E7F-4E1A-913B-B92BB2A916D8@stufft.io>
References: <[🔎] 85r323gw48.fsf@benfinney.id.au> <[🔎] 20170312202807.GP12827@yuggoth.org> <[🔎] CAKTje6G_g881+eksOTzcvQXCd88fVSpRUvkdYbE02JQiDpYxcA@mail.gmail.com> <[🔎] 103B2EC3-2E7F-4E1A-913B-B92BB2A916D8@stufft.io>

Donald Stufft:
> 
>> On Mar 12, 2017, at 10:35 PM, Paul Wise <pabs@debian.org> wrote:
>>
>> On Mon, Mar 13, 2017 at 4:28 AM, Jeremy Stanley wrote:
>>
>>> upload them to PyPI since the authors of the coming Warehouse
>>> replacement for the current CheeseShop PyPI have already indicated
>>> that they intend to drop support for signatures entirely.
>>
>> Did they give any reasoning for this decision?
>>
> 
> 
> https://mail.python.org/pipermail/distutils-sig/2016-May/028933.html <https://mail.python.org/pipermail/distutils-sig/2016-May/028933.html>
> 
> —
> Donald Stufft

Your analysis makes sense: the hardest part of this problem is managing
_who_ is the trusted signer of a given package.  TOFU
(Trust-On-First-Use) is the easy case here: the first person to sign the
release is the one to trust.  Android's APK signature verification for
updates is entirely based on that principal.

It seems that so many Python and Java library developers (mavenCentral
is in a similar boat to PyPi) just want to ignore the signing key
management because its annoying.  Yes, it is annoying, I do a lot of it.
 Android forces all devs to manage a signing key: unsigned APKs are not
installable, and Google Play even rejects APKs signed by debug keys.

I think the Android/Google Play model would work quite well for PyPI,
but the social problem of getting python devs to take responsibility
would be the hard part.  I manages the transition of F-Droid app repos
to only signed, which is a small example.  There were some complaints,
but nothing so bad when we pointed them to the fdroid tool that
automatically generated the signing key for them.  pip can easily
generate and use a signing key (GPG, TUF, whatever) automatically.  Then
devs just need to learn out to safely manage them.  Android Studio's key
generation is pretty new, and has kind of shitty security
recommendations.  Android devs are still learning, but I think overall,
its working out well there.

As for TUF (The Update Framework), I know the concepts well.  I've
looked into it while implementing the F-Droid security model
(https://f-droid.org/wiki/page/Security_Model).  It does not deal with
the issue of managing identity of package uploaders at all, it assumes
you already have all the software in place, and just deals with
distributing updates.  Also, with TUF, you'll be in the exact same boat
here: signing keys are required per package stream, so each developer
will need to managing signing keys.

.hc

Reply to:

References:
- GnuPG signatures on PyPI: why so few?
  - From: Ben Finney <bignose@debian.org>
- Re: GnuPG signatures on PyPI: why so few?
  - From: Jeremy Stanley <fungi@yuggoth.org>
- Re: GnuPG signatures on PyPI: why so few?
  - From: Paul Wise <pabs@debian.org>
- Re: GnuPG signatures on PyPI: why so few?
  - From: Donald Stufft <donald@stufft.io>

Prev by Date: Re: I want to maintain my current packages within the team
Next by Date: Re: GnuPG signatures on PyPI: why so few?
Previous by thread: Re: GnuPG signatures on PyPI: why so few?
Next by thread: Re: GnuPG signatures on PyPI: why so few?
Index(es):
- Date
- Thread