Log file Viewer

[15:47:39] <timlegrand> hi

[15:47:57] <timlegrand> what about signing packages with PGP?

[15:48:26] <Wooble> what about it?

[15:48:34] <timlegrand> I've read that the package creation consists in: python setup.py sdist upload --sign

[15:48:52] <timlegrand> but what is the exact procedure?

[15:49:09] <timlegrand> do I need to create a PGP priv/pub key pair first?

[15:49:18] <timlegrand> do I need to share my public key?

[15:49:53] <timlegrand> is there any native support for this in PIP now?

[15:50:16] <timlegrand> or scheduled?

[15:50:43] <timlegrand> I can't find a tutorial that covers the all mecanism

[15:50:53] <timlegrand> any reading about that?

[15:51:21] <Wooble> You need to set up GPG first. I'm pretty sure pip still can't verify signatures.

[15:51:55] <timlegrand> ok, that answers two questions at a time

[15:52:47] <timlegrand> what about sharing public key? Does my package embed the key ?

[15:53:00] <timlegrand> what is/should be the process

[15:53:20] <timlegrand> 1. (as package creator) set up PGP

[15:53:34] <timlegrand> 2. (as package creator) upload with --sign

[15:53:43] <timlegrand> ... ?

[15:55:11] <Wooble> https://www.davidfischer.name/2012/05/signing-and-verifying-python-packages-with-pgp/ seems to imply your key should be registered with some key server. (I don't bother signing packages; probably no one verifies the signatures before installing anyway)

[15:57:16] <timlegrand> you're right that most users don't care, but that not a reason to surrender :)

[15:58:04] <timlegrand> this article is the best lecture i've found yet. but no technical steps about after upload

[15:58:24] <timlegrand> and this may explain why people don't care :)

[15:58:37] <Wooble> I can't even find an example signed package on pypi. Even the GPG packages don't seem to be signed.

[15:58:45] <timlegrand> yes some are

[16:00:27] <Wooble> ah, python-gnupg signs their windows binary, not the sdist. :/

[16:01:16] <Wooble> (well, the README has a signature for the sdist; they're not using the "official" mechanism)

[16:03:51] <timlegrand> oh this one is a good example

[16:04:41] <timlegrand> they provided the signature in the README, but what do you mean by "official mechanism" ?

[16:04:56] <timlegrand> the --sign?

[16:10:38] <Wooble> yeah.

[16:11:01] <timlegrand> so, let's say I sign with --sign

[16:11:07] <timlegrand> what is step 3 ?

[16:11:26] <Wooble> I don't want to think too much about the README not being the same one that's in the sdist because that would be impossible. :)

[16:11:38] <timlegrand> 3. (as an enduser) I download and install the package with pip install <signedpackage>

[16:12:32] <timlegrand> 4. I either use the package without consideration about package trust

[16:12:45] <timlegrand> or I check authenticity with... ?

[16:12:49] <Wooble> I think if the end users actually care about verifying, they need to download the .tgz, verify it, untar it, and pip install from the directory.

[16:13:03] <timlegrand> argh!

[16:13:20] <Wooble> (unless there's some tool I'm not seeing that does that.)

[16:13:22] <timlegrand> ok, I begin to understand why people don't check

[16:13:47] <timlegrand> so, if they wan to verify, they :

[16:14:01] <timlegrand> 4. download the .tgz, verify it, untar it

[16:14:22] <timlegrand> 5. retrieve the PGP public key of the creator

[16:14:47] <timlegrand> 6. match what against what?

[16:14:59] <timlegrand> I'm not very cumfortable with the mechanism

[16:15:17] <timlegrand> sorry, mistake:

[16:15:24] <timlegrand> 4. download the .tgz

[16:15:29] <timlegrand> 5. retrieve the PGP public key of the creator

[16:15:32] <timlegrand> 6. match what against what?

[16:16:13] <timlegrand> oh, yes, you mean that the PGP signature acts as a checksum for the tar.gz

[16:17:13] <timlegrand> so, the creator does: package + private => checksum

[16:17:22] <timlegrand> the 6. becomes:

[16:17:59] <timlegrand> 6. (as an enduser) do: package + public key = downloaded_checksum

[16:18:23] <Wooble> the gpg tool does those 2 things for you...

[16:18:25] <timlegrand> 7. match <downloaded_checksum> against <checksum>

[16:20:36] <timlegrand> hum, what two things exactly?

[16:21:21] <Wooble> the generating a signature and verifying one.

[16:23:51] <timlegrand> what is the command line for:

[16:23:59] <timlegrand> 6. (as an enduser) do: package + public key = downloaded_checksum

[16:24:18] <timlegrand> the "verify" step you're talking about

[16:26:44] <Wooble> gpg --verify signature.asc file.tgz or something.

[16:27:25] <shibly> What's the latest version of pip ?

[16:27:29] <Wooble> https://www.davidfischer.name/2012/05/signing-and-verifying-python-packages-with-pgp/ covers the verification step pretty well. And notes that you probably don't trust the person who signed it anyway.

[16:27:47] <Wooble> shibly: 7.1.2

[16:29:46] <timlegrand> well, you're right that it covers it well, but before talking to you it was not crystal clear

[16:29:49] <shibly> pip --version returns = pip 1.5.6 from /usr/lib/python2.7/dist-packages (python 2.7)

[16:29:55] <shibly> Is it very outdated?

[16:30:04] <timlegrand> pip install -U pip

[16:30:39] <Wooble> yes, 1.5.6 is ancient.

[16:30:58] <timlegrand> your version is typically an old-dated from Ubuntu package index

[16:31:52] <timlegrand> Wooble: so I understand now what 'gpg --verify rpc4django-0.1.12.tar.gz.asc rpc4django-0.1.12.tar.gz' mean

[16:32:07] <timlegrand> it means we have to provide the .asc file separatly

[16:32:58] <Wooble> timlegrand: sure, but --sign should do that when you upload.

[16:33:54] <timlegrand> ok, I need to test on testpypi to check what --sign actually does

[16:34:29] <timlegrand> since setup.py is able to sign, why would it not be able to perform the other side of the chain, hugh?

[16:34:39] <timlegrand> I'll check all this

[16:35:01] <timlegrand> thanks for your time and your good explanations

[16:36:57] <Wooble> Well, when you run setup.py install there's no expected location for a signature for one thing. For another, at that poijt you've already run arbitrary code from the internet, having that arbitrary code report that it's verified itself doesn't really help you.

[16:41:21] <shibly> python get-pip.py , where does it download pip ?

[16:41:38] <agronholm> shibly: peeking inside the script would probably answer that question

[16:51:18] <shibly> agronholm: Didn't find

[16:52:35] <agronholm> shibly: oh right, pip is already included in that script

[16:52:47] <agronholm> as the docstring explains

[17:30:26] <xafer> I think it contains pip but only to run pip install pip: it should then contact PyPI to perform the usual package installation.

[17:31:20] <xafer> (and an old get-pip.py script would always try to install the latest pip version)

[21:27:32] <ids1024> Is is possible to set install_requires in setup.py to an equivalent of "(0.3.80 < version < 0.4.0) or (version > 0.4.2)"?