[Twisted-Python] ANN: pythonpackages.com beta

Alex Clark aclark at aclark.net
Mon Jul 30 15:09:07 MDT 2012 

Hi Eric,

On 7/30/12 4:49 PM, Eric P. Mangold wrote:
> On Mon, Jul 30, 2012 at 12:49:56PM -0400, Alex Clark wrote:
>> Hi,
>>
>>
>> On 7/30/12 12:31 PM, Eric P. Mangold wrote:
>>> Alex,
>>>
>>> I'm not sure if this is borderline off-topic, or not... but anyway..
>>>
>>> I'm sure starting a discussion here IS offtopic.
>>>
>>> But I have one question:
>>>
>>> How do package authors verify the integrity of their packages built "through the web"?
>>
>>
>> Good question, I just created:
>>
>> -
>> http://docs.pythonpackages.com/en/latest/faq.html#how-do-package-authors-verify-the-integrity-of-packages-built-through-the-web
>
> Let me be clear:
>
> Is it possible to have any assurance that your system has faithfully built the package, and/or that your servers have not been compromised?
>
> Why would anyone trust your web service to build packages, when it is *their* pgp, reputation and users that are at stake?
> (Yes, I would ask Launchpad/Canonical, et. all the same question...)
>
> (Also, if you're suggesting MD5 (following your link..) for anything related to security or data authenticity, then I *know* you're way off base.......)


The point about md5 is not to suggest using it for security or data 
authenticity, it's to clarify that whatever security is currently place 
with PyPI (not a lot, admittedly) still applies, for whatever that is 
worth (not much, apparently).


>
> Sorry if this is harsh - but it's intended. Without any kind of verifiable guarantee (get to work on that! :)) I don't think I could ever possibly use such a thing, and would advise against it.
>
> Getting software to end-users is a tough challenge, and I applaude your efforts to try and make it easier. A system with a single point of failure and a single point of trust just isn't feasible or desirable, imho.Administrators need to know who has final responsibility and *authority* 
over the software that they are consuming. If "the cloud" is the last 
link in that chain, then you have a big problem, I think.


The last link in the chain is PyPI (or a private index). The node before 
that is typically your laptop. I'm suggesting you make it 
pythonpackages.com instead.

Folks can either trust us or not, based on the "real world" risk 
perceived. Of course we will try to convince them it is safe by actually 
make it safe, in whatever way is necessary/possible.

As for all your security points above, they are clearly valid and 
currently addressed (to the best of our ability) in the FAQ:

- http://docs.pythonpackages.com/en/latest/faq.html

And here:

- http://docs.pythonpackages.com/en/latest/security.html


>
> Have a nice day,
> -E
>
> P.S. Im open to sugguestions for moving this thread (where?), as I don't believe it belongs on this list.


You can bring it up (or join an existing thread) on catalog-sig if you 
like. I'm also in #pythonpackages on freenode 24/7. Thanks for the interest!



Alex





>


-- 
Alex Clark ยท http://pythonpackages.com/ONE_CLICK

More information about the Twisted-Python mailing list