[Catalog-sig] Proposal: Move PyPI static data to the cloud for better availability

Jesus Cea jcea at jcea.es
Tue Jun 15 23:55:32 CEST 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 15/06/10 20:52, Tarek Ziadé wrote:
> Do you trust the package you are installing more than an "official"
> mirror ? if so, why ?

If a package is signed by the author, I only need to "trust" the author.

If a package is not signed in PYPI, I must "trust" the author, PYPI
admins and pypi machines security.

If I download from a mirror, with no digital signature, I must trust the
author, PYPI admins, pypi machines security, mirror admins, mirror
machine security and mirror replication protocol. And all network
connections and harddisks in between.

It is just me, call me paranoid, but I pay close attention to where the
package being installed by "easy_install" is pulled from. I have
documented where each package used to live and I check carefully when I
see an unexpected URL. And I freak out when I package upgrade includes
new dependencies I haven't seen before.

> Anyone can upload a package at PyPI with
>
>   os.system('rm -rf /')
>
> in its setup.py...

True. And SCARY. Fortunatelly I only install packages I am interested
in, check signatures, etc. Of course, I can be hacked if the original
autor put a trojan in the package, or he/she was hacked before. But my
exposure is smaller that if I must trust too every link in a LONG chain
of mirrors.

Just check his link, for a recent example:

<http://it.slashdot.org/firehose.pl?op=view&type=story&sid=10/06/13/0046256>

The trojan was not in the original sourcecode, but in an altered mirror
version.

Asking for pypi central node to add signatures is a trivial way of
avoiding this issue. The question is not to trust or not to trust
mirrors, but that we have technology to be safe even if the mirrors are
not trusted. I don't NEED to trust you to be safe. I am happy!.

- -- 
Jesus Cea Avion                         _/_/      _/_/_/        _/_/_/
jcea at jcea.es - http://www.jcea.es/     _/_/    _/_/  _/_/    _/_/  _/_/
jabber / xmpp:jcea at jabber.org         _/_/    _/_/          _/_/_/_/_/
.                              _/_/  _/_/    _/_/          _/_/  _/_/
"Things are not so easy"      _/_/  _/_/    _/_/  _/_/    _/_/  _/_/
"My name is Dump, Core Dump"   _/_/_/        _/_/_/      _/_/  _/_/
"El amor es poner tu felicidad en la felicidad de otro" - Leibniz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQCVAwUBTBf21Jlgi5GaxT1NAQLPngP+NfLf7js3ni9FvoDjkrzOB0AmRIyfmDJm
tm0wNEVIlTY+d3st76Gd62ET+VxtgNHfWyNQ82Zp0iAISoWlpDyflJlZ1r5oVjAR
sWOSntdXXZAaaxOkumggi1cHKVCbWAe+62fGctTLWt4QtP4557yJDHZO1LKp1nWe
qtHX5LyUD5k=
=yGPk
-----END PGP SIGNATURE-----

More information about the Catalog-SIG mailing list