[Catalog-sig] Proposal: Move PyPI static data to the cloud for better availability
Justin Cappos
justinc at cs.washington.edu
Wed Jun 16 00:32:39 CEST 2010
On Tue, Jun 15, 2010 at 2:55 PM, Jesus Cea <jcea at jcea.es> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 15/06/10 20:52, Tarek Ziadé wrote:
>> Do you trust the package you are installing more than an "official"
>> mirror ? if so, why ?
>
> If a package is signed by the author, I only need to "trust" the author.
I think it might not be this simple. You're still trusting PYPI to
provide you with the latest version of a package. Absent other
mechanisms, you don't have a way to tell if the file you're being
served is actually a version that is obsolete (possibly due to
security flaws).
Also, in practice many package managers perform dependency resolution
based upon on metadata that isn't signed with the author's GPG key.
http://www.cs.arizona.edu/stork/packagemanagersecurity/otherattacks.html#extradep
Is the plan to use what is proposed in
http://mail.python.org/pipermail/catalog-sig/2009-March/002018.html in
practice? Is more information available about this? Does this
protect against man-in-the-middle attacks?
> If a package is not signed in PYPI, I must "trust" the author, PYPI
> admins and pypi machines security.
>
> If I download from a mirror, with no digital signature, I must trust the
> author, PYPI admins, pypi machines security, mirror admins, mirror
> machine security and mirror replication protocol. And all network
> connections and harddisks in between.
>
> It is just me, call me paranoid, but I pay close attention to where the
> package being installed by "easy_install" is pulled from. I have
> documented where each package used to live and I check carefully when I
> see an unexpected URL. And I freak out when I package upgrade includes
> new dependencies I haven't seen before.
>
>> Anyone can upload a package at PyPI with
>>
>> os.system('rm -rf /')
>>
>> in its setup.py...
>
> True. And SCARY. Fortunatelly I only install packages I am interested
> in, check signatures, etc. Of course, I can be hacked if the original
> autor put a trojan in the package, or he/she was hacked before. But my
> exposure is smaller that if I must trust too every link in a LONG chain
> of mirrors.
>
> Just check his link, for a recent example:
>
> <http://it.slashdot.org/firehose.pl?op=view&type=story&sid=10/06/13/0046256>
>
> The trojan was not in the original sourcecode, but in an altered mirror
> version.
>
> Asking for pypi central node to add signatures is a trivial way of
> avoiding this issue. The question is not to trust or not to trust
> mirrors, but that we have technology to be safe even if the mirrors are
> not trusted. I don't NEED to trust you to be safe. I am happy!.
I think there are other subtle issues here dealing with key
revocation, mismatching of package versions, etc.
A lot of these issues are pretty subtle and I'd be happy to talk in
more detail about how one might address them. In fact, we have a
project that is trying to do so:
https://www.updateframework.com/
Geremy do you want to chime in?
Thanks,
Justin
> - --
> Jesus Cea Avion _/_/ _/_/_/ _/_/_/
> jcea at jcea.es - http://www.jcea.es/ _/_/ _/_/ _/_/ _/_/ _/_/
> jabber / xmpp:jcea at jabber.org _/_/ _/_/ _/_/_/_/_/
> . _/_/ _/_/ _/_/ _/_/ _/_/
> "Things are not so easy" _/_/ _/_/ _/_/ _/_/ _/_/ _/_/
> "My name is Dump, Core Dump" _/_/_/ _/_/_/ _/_/ _/_/
> "El amor es poner tu felicidad en la felicidad de otro" - Leibniz
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQCVAwUBTBf21Jlgi5GaxT1NAQLPngP+NfLf7js3ni9FvoDjkrzOB0AmRIyfmDJm
> tm0wNEVIlTY+d3st76Gd62ET+VxtgNHfWyNQ82Zp0iAISoWlpDyflJlZ1r5oVjAR
> sWOSntdXXZAaaxOkumggi1cHKVCbWAe+62fGctTLWt4QtP4557yJDHZO1LKp1nWe
> qtHX5LyUD5k=
> =yGPk
> -----END PGP SIGNATURE-----
> _______________________________________________
> Catalog-SIG mailing list
> Catalog-SIG at python.org
> http://mail.python.org/mailman/listinfo/catalog-sig
>
More information about the Catalog-SIG
mailing list