[ptl][tc] OpenStack packages PyPi additional external maintainers audit & cleanup
Jeremy Stanley
fungi at yuggoth.org
Thu Jan 26 03:03:00 UTC 2023
On 2023-01-25 16:46:03 -0800 (-0800), Clark Boylan wrote:
> On Mon, Jan 23, 2023, at 5:18 PM, Michael Johnson wrote:
[...]
> > I think we should also discuss the following improvements:
> >
> > 1. We PGP sign these releases with an OpenStack key, but we don't
> > upload the .asc file with the packages to PyPi. Why don't we do this
> > to help folks have an easy way to validate that the package came from
> > the OpenStack releases process?
> >
> > 2. With these signatures, we can automate tools to validate that
> > releases were signed by the OpenStack release process and raise an
> > alert if they are invalid.
>
> My main concern with doing this is that it requires users to opt
> into checking it because pip itself is never going to check the
> gpg signatures. It is better than nothing, but the vast majority
> of people running a pip install and pulling in random libraries
> from openstack as dependencies will never validate the signatures.
[...]
I read this suggestion as having automation or some periodic task
performed by the release managers or similar group, whereby our
community checks new releases against available signatures rather
than at install time.
Worth noting, the release team already periodically runs a script
which audits all project tags to make sure we have all intended
packages and signatures in the expected locations. It would
theoretically be possible to just double check that there aren't any
extra packages/releases on PyPI that don't correspond to release
tags in our repositories or are otherwise anomalous (extra platform
wheels, post versions, et cetera) or which differ from the ones on
our tarballs site in some way. That should be sufficient to catch
most possibilities without needing to actually retrieve every
package so that the signatures for them can be validated directly.
--
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: not available
URL: <https://lists.openstack.org/pipermail/openstack-discuss/attachments/20230126/d0dad6a9/attachment.sig>
More information about the openstack-discuss
mailing list