[Catalog-sig] [Draft] Package signing and verification process
Nick Coghlan
ncoghlan at gmail.com
Thu Feb 7 23:26:51 CET 2013
On 8 Feb 2013 02:43, "Giovanni Bajo" <rasky at develer.com> wrote:
>
> Il giorno 07/feb/2013, alle ore 17:21, Donald Stufft <
donald.stufft at gmail.com> ha scritto:
>
>> On Thursday, February 7, 2013 at 10:50 AM, Giovanni Bajo wrote:
>>
>> 1. If we're going to implicitly trust PyPI when it says that key X is
valid for package Y,
>> do we really gain much here? If we're trusting PyPI then we only
really need secure
>> ingress and egress neither of which need packaging signing.
>
>
> Adding GPG signature on top of SSL helps mitigating (at least) the
following concerns:
>
> 1) If a PyPI account password is compromised (stolen, bruteforced, etc.),
an attacker cannot upload a package that will be installed by package
managers. This also requires making sure that a GPG fingerprint cannot be
added to the account without a second factor authentication (can be
anything from a link to a security email address, to a SMS). Notice that
PyPI passwords are currently saved in the filesystem in clear
($HOME/.pypirc).
Which reminds me, that system *really* should be replaced/supplemented with
a time limited server generated auth token, the way Bugzilla and various
other services do it.
If need be, I can bug a couple of GPL RH projects to contribute their
existing solutions to that problem, but there should be non-GPL examples
kicking around the web already.
Cheers,
Nick.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130208/418c1f0b/attachment.html>
More information about the Catalog-SIG
mailing list