Security: end to end package signature validation. #11224
Comments
jpic
added
S: needs triage
jpic
changed the title
|
I can look into it. btw #8719 is this partially related? |
|
No, it's not related. There's a much broader thing, that affects more than just pip. Luckily, you're not the only person who wants this, and there's actually been extensive discussions and design toward this in the ecosystem as a whole. See https://peps.python.org/pep-0458/ and https://peps.python.org/pep-0480/. I'm gonna close this, since this is being tracked in pypi/warehouse#10672 |
|
Thanks for your answer. However, it's not quite the same. I understand I'm late in train to discuss this PEP, but if the point of PEP 480 is end to end encryption to counter the risk of PyPi's compromission, why does it want to require developers to upload keys on PyPi? This solution doesn't seem to mitigate the risk. Currently, developers can already upload signed packages on PyPi with Please, can someone explain why PEP-0480 is better than just including signature validation in pip install with own keyring for example? Unless Thanks. |
|
PEP 480 also does not require developers to upload keys to PyPI, it requires them to tell PyPI what keys they're going to use to sign their files. |
What's the problem this feature will solve?
Currently, we can upload signed packages.
However, I didn't find any other GPG related feature in pip, and I believe a package manager in 2022 should provide a mechanism for end to end package validation.
Describe the solution you'd like
I think pip should work like Arch Linux pacman for signature validation:
Alternative Solutions
Well you can use your distribution package manager, but you won't get the whole pypi ecosystem nor the latest versions in general.
Additional context
https://wiki.archlinux.org/title/Pacman/Package_signing
Code of Conduct
The text was updated successfully, but these errors were encountered: