[Distutils] Docker Content Trust and PyPI package signing

Hi folks,

The recent Docker 1.8 release was the first one to include their new
content signing system, which is described well in this post:
https://blog.docker.com/2015/08/content-trust-docker-1-8/

The resign I bring that up here is because the Docker Content Trust
system is based on The Update Framework, which is the same system
we've been exploring for PyPI package signing in PEPs 458 and 480.

The part I particularly like is the way they have handled the trust
establishment process for content signing: they use a "trust on first
use" model by default, similar to that used in SSH. This means there
is still a reliance on HTTPS and the CA system, but only for the task
of bootstrapping TUF in a way that allows new clients to obtain the
public signing certificate of the repo publisher transparently. Once
the intial trust relationship with a public repo like PyPI or a
private repo within a company or other organisation has been
established, later compromises of the CA system don't provide the
ability to forge package signatures.

Also of potential interest is the TUF-based signing infrastructure
that Docker built, Notary: https://github.com/docker/notary

While I don't have a strong personal preference one way or the other,
finding a way to reuse that does seem like it could be an interesting
architectural alternative to building signing capabilities directly
into Warehouse itself.

Regards,
Nick.

-- 
Nick Coghlan   |   ncog...@gmail.com   |   Brisbane, Australia
_______________________________________________
Distutils-SIG maillist  -  Dist...@python.org
https://mail.python.org/mailman/listinfo/distutils-sig