From guido@python.org Thu Mar 7 01:14:07 2002 From: guido@python.org (Guido van Rossum) Date: Wed, 06 Mar 2002 20:14:07 -0500 Subject: [Catalog-sig] Chris Liechti: dead link Message-ID: <200203070114.g271E7H18216@pcp742651pcs.reston01.va.comcast.net> Does anybody know a substitute link? --Guido van Rossum (home page: http://www.python.org/~guido/) ------- Forwarded Message Date: Thu, 07 Mar 2002 00:35:23 +0100 From: Chris Liechti To: webmaster@python.org Subject: dead link on this catalog-sig page: http://python.org/sigs/catalog-sig/others.html the debian link is dead: http://www.debian.org/doc/packaging-manuals/packaging.html/ the directory still exists but there is no packaging.html chris ------- End of Forwarded Message From lac@strakt.com Thu Mar 7 19:38:31 2002 From: lac@strakt.com (Laura Creighton) Date: Thu, 7 Mar 2002 20:38:31 +0100 Subject: [Catalog-sig] dead link about Debian packages Message-ID: <200203071938.g27JcVls018889@ratthing-b246.strakt.com> This is a link to the FAQ about Debian packages: http://www.debian.org/doc/FAQ/ch-pkg_basics.html Be warned: Here is the last entry in its entirity: 6.15 How do I create Debian packages myself? For more detailed description on this, read the New Maintainers' Guide, available in the maint-guide package, or at ftp://ftp.debian.org/debian/doc/package-developer/maint-guide.html.tar.gz. I think that it is a copy of that guide that you really want to link to. That is Here: http://www.debian.org/doc/maint-guide/index.html#copyright This last thing is what I think the python page should link to. But I never saw what was the link before, so I have no idea whether this is a replacement link to the one that was lost, or just the definitive link on how to make debian packages. Laura Creighton From k_vertigo@yahoo.com Sun Mar 10 04:04:08 2002 From: k_vertigo@yahoo.com (Kapil Thangavelu) Date: Sat, 9 Mar 2002 20:04:08 -0800 (PST) Subject: [Catalog-sig] dead link about Debian packages In-Reply-To: <200203071938.g27JcVls018889@ratthing-b246.strakt.com> Message-ID: <20020310040408.89738.qmail@web11606.mail.yahoo.com> i think a link to http://www.debian.org/doc/packaging-manuals/developers-reference/ might be more appropriate if only because it discusses in more depth the workings of the debian repository. cheers kapil --- Laura Creighton wrote: > This is a link to the FAQ about Debian packages: > http://www.debian.org/doc/FAQ/ch-pkg_basics.html > > Be warned: Here is the last entry in its entirity: > > > 6.15 How do I create Debian packages myself? > > For more detailed description on this, read the New > Maintainers' Guide, available in the maint-guide > package, or at > ftp://ftp.debian.org/debian/doc/package-developer/maint-guide.html.tar.gz. > > > I think that it is a copy of that guide that you > really want to link to. > > That is Here: > http://www.debian.org/doc/maint-guide/index.html#copyright > > This last thing is what I think the python page > should link to. But I never > saw what was the link before, so I have no idea > whether this is a replacement > link to the one that was lost, or just the > definitive link on how to make > debian packages. > > Laura Creighton > > _______________________________________________ > Catalog-sig mailing list > Catalog-sig@python.org > http://mail.python.org/mailman/listinfo/catalog-sig __________________________________________________ Do You Yahoo!? Try FREE Yahoo! Mail - the world's greatest free email! http://mail.yahoo.com/ From k_vertigo@yahoo.com Sun Mar 10 22:42:48 2002 From: k_vertigo@yahoo.com (Kapil Thangavelu) Date: Sun, 10 Mar 2002 14:42:48 -0800 (PST) Subject: [Catalog-sig] repository security concerns Message-ID: <20020310224248.89917.qmail@web11606.mail.yahoo.com> hi folks, one of my biggest concerns with a python-repository is dealing with security, as the repository is enabling of a framework of automatic installation of software and will also tend to serve as a primary source of python packages for manual installations. i'm interested in attempts to make some sort of end-to-end (uploader->downloader) security checks. but i don't want to increase developer overhead more than what people are willing to do. so here's a first attempt at a model. uploaders will have a copy of their public keys stored on the repository. a new distribution files should have their checksums signed and uploaded as well. all uploading should take place over ssl. a file, its signature, and the public key of the uploader will be made available for download for verification by the end user or an automated tool. is there an easier way to try and insure end-to-end security or are there flaws in the above model? does it require too much of the developer? should the repository even be attempting to be secure? thanks kapil thangavelu __________________________________________________ Do You Yahoo!? Try FREE Yahoo! Mail - the world's greatest free email! http://mail.yahoo.com/ From DavidA@ActiveState.com Sun Mar 10 23:00:08 2002 From: DavidA@ActiveState.com (David Ascher) Date: Sun, 10 Mar 2002 15:00:08 -0800 Subject: [Catalog-sig] repository security concerns References: <20020310224248.89917.qmail@web11606.mail.yahoo.com> Message-ID: <3C8BE578.B3EEFCED@ActiveState.com> > one of my biggest concerns with a python-repository is > dealing with security, as the repository is enabling > of a framework of automatic installation of software > and will also tend to serve as a primary source of > python packages for manual installations. This appears to be a non-issue in the Perl world. CPAN is a simple FTP repository, and yet it works. Installing modules from CPAN is a one-liner in Perl. My recommendation is to worry about security later, when you have critical mass. Any stringent security measure you impose now will dramatically impact your level of acceptance. Keep in mind that doing SSH'ish things on Windows is much too hard for most people. It's relatively easy to add a "seal of approval" by a few "authorities" post-hoc for those users concerned w/ security. my 2c. --david From martin@v.loewis.de Mon Mar 11 04:57:36 2002 From: martin@v.loewis.de (Martin v. Loewis) Date: 11 Mar 2002 05:57:36 +0100 Subject: [Catalog-sig] repository security concerns In-Reply-To: <3C8BE578.B3EEFCED@ActiveState.com> References: <20020310224248.89917.qmail@web11606.mail.yahoo.com> <3C8BE578.B3EEFCED@ActiveState.com> Message-ID: David Ascher writes: > > one of my biggest concerns with a python-repository is > > dealing with security, as the repository is enabling > > of a framework of automatic installation of software > > and will also tend to serve as a primary source of > > python packages for manual installations. > > This appears to be a non-issue in the Perl world. CPAN is a simple FTP > repository, and yet it works. Installing modules from CPAN is a > one-liner in Perl. It certainly is an issue. In PAUSE, you need to have a password to identify yourself as an uploader. Use of secure HTTP for PAUSE is strongly recommended. Implementing a password scheme for the Python repository may also be an option, but I'd prefer signed packages instead, or atleast in addition. Regards, Martin From akuchlin@mems-exchange.org Mon Mar 11 15:38:54 2002 From: akuchlin@mems-exchange.org (Andrew Kuchling) Date: Mon, 11 Mar 2002 10:38:54 -0500 Subject: [Catalog-sig] repository security concerns In-Reply-To: <20020310224248.89917.qmail@web11606.mail.yahoo.com> References: <20020310224248.89917.qmail@web11606.mail.yahoo.com> Message-ID: <20020311153854.GA19970@ute.mems-exchange.org> On Sun, Mar 10, 2002 at 02:42:48PM -0800, Kapil Thangavelu wrote: >is there an easier way to try and insure end-to-end >security or are there flaws in the above model? does >it require too much of the developer? should the >repository even be attempting to be secure? It seems reasonable, and could be made fairly simple by just using GnuPG to do the signature generation and checking. The Python code could then check if GnuPG is installed, displaying an innocuous "Not verifying signature" message if it's not, and checking the signature if it is. --amk (www.amk.ca) Oh, my fingers! My arms! My legs! My everything! Argh... -- The Doctor, in "Nightmare of Eden" From DavidA@ActiveState.com Mon Mar 11 17:49:07 2002 From: DavidA@ActiveState.com (David Ascher) Date: Mon, 11 Mar 2002 09:49:07 -0800 Subject: [Catalog-sig] repository security concerns References: <20020310224248.89917.qmail@web11606.mail.yahoo.com> <20020311153854.GA19970@ute.mems-exchange.org> Message-ID: <3C8CEE13.1B26BCFD@activestate.com> Andrew Kuchling wrote: > It seems reasonable, and could be made fairly simple by just using > GnuPG to do the signature generation and checking. The Python code > could then check if GnuPG is installed, displaying an innocuous "Not > verifying signature" message if it's not, and checking the signature > if it is. Whatever you do, my suggestion is to make sure the process works for Unix, Windows and Mac users. Sourceforge, for example, is a real pain to setup for non-Unixers. Until recently, there wasn't even good key generations software for Windows. That's apparently been fixed in recent versions of the putty et al. software. I don't know anything about GnuPG in that (or any other) respect =). --david From zen@shangri-la.dropbear.id.au Thu Mar 14 00:53:35 2002 From: zen@shangri-la.dropbear.id.au (Stuart Bishop) Date: Thu, 14 Mar 2002 11:53:35 +1100 Subject: [Catalog-sig] repository security concerns Message-ID: > uploaders will have a copy of their public keys stored > on the repository. a new distribution files should > have their checksums signed and uploaded as well. all > uploading should take place over ssl. a file, its > signature, and the public key of the uploader will be > made available for download for verification by the > end user or an automated tool. There is a flaw here - if an attacker can corrupt a file on the server or between the server and a client, they can also do so with the developers key. Also, if I download a trojan version of Numeric from the catalog, it will still be signed by the key of the uploader and perfectly valid. It would be impossible for the client to know that the key belongs to a hacker. It would be perfectly valid to reveal the SHA-1 hash of a file, so that a client can confirm the validity of a file *with a different mirror* to avoid using a corrupt version. This would reduce attack points to the master server that allows uploading of new files. -- Stuart Bishop http://shangri-la.dropbear.id.au/ From martin@v.loewis.de Thu Mar 14 07:28:48 2002 From: martin@v.loewis.de (Martin v. Loewis) Date: 14 Mar 2002 08:28:48 +0100 Subject: [Catalog-sig] repository security concerns In-Reply-To: References: Message-ID: Stuart Bishop writes: > It would be perfectly valid to reveal the SHA-1 hash > of a file, so that a client can confirm the validity > of a file *with a different mirror* to avoid using a > corrupt version. This would reduce attack points to > the master server that allows uploading of new files. Having the public key of the uploader on a different mirror achieves the same trust. Regards, Martin From k_vertigo@yahoo.com Tue Mar 19 00:57:24 2002 From: k_vertigo@yahoo.com (Kapil Thangavelu) Date: Mon, 18 Mar 2002 16:57:24 -0800 (PST) Subject: [Catalog-sig] repository security concerns In-Reply-To: Message-ID: <20020319005724.58542.qmail@web11602.mail.yahoo.com> --- "Martin v. Loewis" wrote: > > Implementing a password scheme for the Python > repository may also be > an option, but I'd prefer signed packages instead, > or atleast in > addition. i think in deference to mac and windows users, it would be best to make uploading of signed packages optional. part of my concern over having signed packages and security in general is not offering a false sense of security, because real security is hard to do. not to say that i think security should be ignored, i definitely want to make a good effort on making a catalog secure. wrt to separate python repository logins, for gideon, a separate password scheme is in order to create a community based site, in that although the site functions in read only mode for anonymous users, contributing content (packages, reviews, ratings) or access to certain services (email updates) requires creating an account. i'm unhappy with the current login scheme which is based on the zope product CookieCrumbler (used in zope's CMF) and is insecure, imo. i'm looking to alter it to one based on the design below http://developer.arsdigita.com/doc/security-design.html and restrict sensitive locations to ssl. cheers kapil __________________________________________________ Do You Yahoo!? Yahoo! Sports - live college hoops coverage http://sports.yahoo.com/ From k_vertigo@yahoo.com Tue Mar 19 04:16:40 2002 From: k_vertigo@yahoo.com (Kapil Thangavelu) Date: Mon, 18 Mar 2002 20:16:40 -0800 (PST) Subject: [Catalog-sig] gideon snapshot Message-ID: <20020319041640.37114.qmail@web11606.mail.yahoo.com> i've uploaded a new snapshot of the python repository code to http://www.zope.org/Members/k_vertigo/Products/Gideon most of the new work has been expanding infrastructure for additional functionality (tracker, subscriptions) that i hope will speed development, and refactoring. full change log @ http://www.zope.org/Members/k_vertigo/Products/Gideon/Changes i'll be updating the demo site, after i get the subscription system working. cheers kapil __________________________________________________ Do You Yahoo!? Yahoo! Sports - live college hoops coverage http://sports.yahoo.com/