[Distutils] PEP453 - Explicit bootstrapping of pip in Pythoninstallations
Justin Cappos
jcappos at poly.edu
Wed Sep 4 01:55:52 CEST 2013
We have integrated PyCrypto into TUF and are planning to distribute
binaries for it along with TUF so that TUF will work smoothly on Windows,
Linux, Mac, etc.
We will have a demo that shows TUF integration into pip later this week.
It will have a bunch of example tests you can run that show how pip can be
hacked (some of which will work even if GPG signature verification was
implemented), but that TUF blocks.
More to come!
Justin
P.S. Should we make the unofficial TUF motto "more secure than it used to
be"? :)
On Tue, Sep 3, 2013 at 7:29 PM, Nick Coghlan <ncoghlan at gmail.com> wrote:
>
> On 3 Sep 2013 23:14, "Anders J. Munch" <ajm at flonidan.dk> wrote:
> >
> > Nick Coghlan:
> > > It would be trusting the integrity of PyPI for the software itself,
> > > and the CA system to know that it's actually talking to PyPI. Far from
> > > ideal, but we don't have a viable end-to-end signing system yet
> > > (mostly due to the associated key management and update/revocation
> > > problems).
> >
> > So retrieving pip is over https and the cert is validated? That's a
> > satisfactory answer, certainly.
> >
> > > Given that the trust model for the installer itself is usually "I
> > > downloaded it from python.org", the risk isn't actually increased all
> > > that much.
> >
> > I'd worry about any increase in risk. If the target becomes big
> > enough, malware may start targeting Python auto-install mechanisms,
> > even if it doesn't today. The python.org installers are PGP signed,
> > by the way. Maybe you meant the installers retrievable through PyPI?
>
> Those too, but I meant I don't know of anyone that checks the signatures
> of the Windows installers before running them. Certainly beginners don't,
> since "setting up GPG is painful on Windows" is one of the reasons relying
> on it for PyPI is a problem. Sure, it can be done in *theory*, but in
> practice... :P
>
> For me, the bar is currently set at "more secure than it used to be" (a
> baseline which is fortunately higher than it used to be now both pip and
> easy_install do SSL cert verification, but still disturbingly low in other
> ways).
>
> Cheers,
> Nick.
>
> >
> > regards, Anders
> >
>
> _______________________________________________
> Distutils-SIG maillist - Distutils-SIG at python.org
> https://mail.python.org/mailman/listinfo/distutils-sig
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130903/c1ed0ecb/attachment.html>
More information about the Distutils-SIG
mailing list