On 2023-01-25 16:46:03 -0800 (-0800), Clark Boylan wrote:
On Mon, Jan 23, 2023, at 5:18 PM, Michael Johnson wrote: [...]
I think we should also discuss the following improvements:
1. We PGP sign these releases with an OpenStack key, but we don't upload the .asc file with the packages to PyPi. Why don't we do this to help folks have an easy way to validate that the package came from the OpenStack releases process?
2. With these signatures, we can automate tools to validate that releases were signed by the OpenStack release process and raise an alert if they are invalid.
My main concern with doing this is that it requires users to opt into checking it because pip itself is never going to check the gpg signatures. It is better than nothing, but the vast majority of people running a pip install and pulling in random libraries from openstack as dependencies will never validate the signatures. [...]
I read this suggestion as having automation or some periodic task performed by the release managers or similar group, whereby our community checks new releases against available signatures rather than at install time. Worth noting, the release team already periodically runs a script which audits all project tags to make sure we have all intended packages and signatures in the expected locations. It would theoretically be possible to just double check that there aren't any extra packages/releases on PyPI that don't correspond to release tags in our repositories or are otherwise anomalous (extra platform wheels, post versions, et cetera) or which differ from the ones on our tarballs site in some way. That should be sufficient to catch most possibilities without needing to actually retrieve every package so that the signatures for them can be validated directly. -- Jeremy Stanley