[Catalog-sig] PyPI and setuptools

Giovanni Bajo rasky at develer.com
Sun Feb 10 01:54:07 CET 2013 

Il giorno 10/feb/2013, alle ore 00:43, M.-A. Lemburg <mal at egenix.com> ha scritto:

> On 10.02.2013 00:13, Stephen Thorne wrote:
>> Hello,
>> 
>> One of my concerns with the recent pip dramas that have seen some excellent
>> and timely action from catalog-sig and others, is that 'setuptools' is
>> still widely distributed and used instead of distribute/pip.
> 
> Just as data point: distribute isn't using HTTPS either and the
> distribute bootstrap site doesn't work with HTTPS:
> 
>    http://python-distribute.org/
> 
> (https://python-distribute.org/ gives
> "Error code: ssl_error_rx_record_too_long" in Firefox)
> 
> By redirecting the PyPI main and mirror sites from HTTP to HTTPS
> you can "upgrade" older installations.

Alas, this redirection wouldn't fix the main issue, because a MITM can still proxy the connection, swallow the redirection, and insert a malware in the downloaded package. The only way to really fix it is to patch all PyPI clients, including distribute.

> An alternative approach would be to make people more aware of
> the possibility to configure the PyPI site URL in a distutils
> config file (even globally) and changing the URL from HTTP
> to HTTPS there:
> 
> * distutils config files:
> 
> http://docs.python.org/2/install/index.html#inst-config-files
> 
> * setuptools:
> 
> http://peak.telecommunity.com/DevCenter/EasyInstall#configuration-files
> http://peak.telecommunity.com/DevCenter/EasyInstall#command-line-options
> (the option is called --index-url)
> 
> * distribute:
> 
> http://pythonhosted.org/distribute/easy_install.html#configuration-files
> http://pythonhosted.org/distribute/easy_install.html#reference-manual
> (the option is called --index-url)


The problem with this approach is that Python standard library does not validate SSL certificates. So even if you force a urllib-based tool to access PyPI through https, it doesn't help at all in case of a MITM attack.
-- 
Giovanni Bajo   ::  rasky at develer.com
Develer S.r.l.  ::  http://www.develer.com

My Blog: http://giovanni.bajo.it


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4346 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130210/8df937ca/attachment.bin>

More information about the Catalog-SIG mailing list