Interoperability concerns

Continuing the discussion from Prerequisites & vetoes – improving packaging security about future work on end-to-end signing:

@steve.dower raised a question, saying:

so I want to check: Steve, this RFI will help us choose which approach we use for cryptographic signing of artifacts on PyPI (and we hope that, in future projects, we’d wire those up to work with other parts of the toolchain). Are there choices we could use that would cause interoperability concerns for you & Microsoft?

As I mentioned in my original post, I’m seeking further information before going into details.

But to prove it’s possible, “only supports GPG” would be incompatible. I’m not sure exactly where it changes from “impossible” to “inconvenient”, but I’ll definitely share details when I know.

Given the lack of consistency between code integrity systems across operating systems, I expect we’ll end up with a compatible but (for us) insufficient system by default, and hopefully a way to have platform-specific extensions that provide better trust when used by both parties.

And to be clear, I’m not proposing every contributor to PyPI has to meet a higher bar. It just won’t do anything to increase our level of trust in the whole system and might make it harder to enable optional systems that would.

Thanks to everyone for participating in this discussion! The RFI period has closed, and replies in this category have been disabled.

Based on the feedback, we’ll be updating our scope before opening the Request for Proposals period next week along with a new discussion category.

If you’re interested in participating in the RFP sign up at https://forms.gle/redWdNhwMqzRG1jC8 to be notified when it launches.