hngopher.com

       [HN Gopher] Python PGP proposal poses packaging puzzles
       ___________________________________________________________________
        
       Python PGP proposal poses packaging puzzles
        
       Author : jwilk
       Score  : 37 points
       Date   : 2024-10-25 08:35 UTC (3 days ago)
        
 (HTM) web link (lwn.net)
 (TXT) w3m dump (lwn.net)
        
       | tptacek wrote:
       | This leaves out the important context that key verification for
       | these packages isn't functional.
       | 
       |  _In the last 3 years, about 50k signatures had been uploaded to
       | PyPI by 1069 unique keys. Of those 1069 unique keys, about 30% of
       | them were not discoverable on major public keyservers, making it
       | difficult or impossible to meaningfully verify those signatures.
       | Of the remaining 71%, nearly half of them were unable to be
       | meaningfully verified at the time of the audit (2023-05-19) 2._
       | 
       | More, recently, on this thread:
       | 
       | https://news.ycombinator.com/item?id=41873215
        
         | ArchOversight wrote:
         | This is related to the distribution of CPython itself, the key
         | verification for those artifacts does work and has worked
         | forever. The packaging referred to by the article is about
         | packaging Python itself by upstream distributions.
         | 
         | Python packages developed by third party developers and
         | uploaded to PyPi are indeed not verifiable due to the key
         | issues you mentioned, and is a minor note in the article.
        
           | westurner wrote:
           | W3C DIDs are verifiable e.g with blockchain-
           | certificates/cert-verifier-js and blockchain-
           | certificates/cert-verifier (Python).
           | 
           | If PyPI is not a keyserver, if it only hosts the attestations
           | and checks checksums, can it fully solve for [Python]
           | software supply chain security?
           | 
           | A table comparing the various known solutions might be good;
           | including md5, sha3, GPG .ASC signatures, TUF, Uptane,
           | Sigstore (Cosign + Rekor), PyPI w/w/o attestations, VC
           | Verifiable Credentials, and Blockcerts (Verifiable
           | Credentials (DIDs))
        
           | woodruffw wrote:
           | > the key verification for those artifacts does work and has
           | worked forever.
           | 
           | Go try to verify some of the PGP signatures on CPython
           | releases that are older than 2.7. You might be surprised.
        
       | wesselbindt wrote:
       | Awesome alliteration always achieves amusement.
        
       | hifromwork wrote:
       | >In the PEP, Larson argues that providing PGP and sigstore
       | signatures fails to give downstream projects any incentive to
       | adopt sigstore. So long as CPython continues to provide PGP
       | signatures, there is little motivation to adopt sigstore.
       | 
       | No better way to convince people to use a standard than forcing
       | them. Taking away choice by force sounds a bit contradictory to
       | the idea of Open Source. I mean, maybe sigstore is a better idea,
       | but why not let people make their choice.
        
       ___________________________________________________________________
       (page generated 2024-10-28 23:01 UTC)