[Catalog-sig] [DRAFT] Proposal for fixing PyPI/pip security

Jesse Noller jnoller at gmail.com
Sun Feb 10 13:57:44 CET 2013 


On Sunday, February 10, 2013 at 7:54 AM, Nick Coghlan wrote:

> On Sun, Feb 10, 2013 at 10:36 PM, Jannis Leidel <jannis at leidel.info (mailto:jannis at leidel.info)> wrote:
> > 
> > On 10.02.2013, at 05:44, Nick Coghlan <ncoghlan at gmail.com (mailto:ncoghlan at gmail.com)> wrote:
> > 
> > > On Sun, Feb 10, 2013 at 7:23 AM, Giovanni Bajo <rasky at develer.com (mailto:rasky at develer.com)> wrote:
> > > > Hello,
> > > > 
> > > > my proposal for fixing PyPI and pip security is here:
> > > > https://docs.google.com/a/develer.com/document/d/1DgQdDCZY5LiTY5mvfxVVE4MTWiaqIGccK3QCUI8np4k/edit#
> > > > 
> > > > I tried to sum up the discussions we had here last week, elaborating on Heimes' proposal by simplifying it where I thought the additional steps wouldn't guarantee additional security. At this point, the proposal does not include a central, uber-master online GPG signing key to be stored on PyPI, which is IMO quite hard to handle correctly.
> > > 
> > > I think the parts related to improving the HTTPS/SSL based security
> > > are solid, but for the other aspects of secure updates, integrating
> > > TUF (https://www.updateframework.com/) into the PyPI based
> > > distribution infrastructure sounds like the best available option for
> > > enhancing the end-to-end integrity checking. TUF has a comparatively
> > > well-developed threat model, and systematically covers many of the
> > > attack vectors discussed in the past few day (including provision of
> > > old, known vulnerable, versions).
> > 
> > 
> > 
> > Would you mind explaining why TUF is good?
> 
> The main benefit in my mind is that it isn't a from-scratch design of
> a secure update infrastructure. Instead, it's a project that was
> started in order to resolve some security holes found in Tor's already
> robust automatic update mechanism, then proceeded from there into
> updates to yum, yast, apt, etc (i.e. the distro update mechanisms that
> are vetted by the security teams of the various Linux vendors). The
> fact Geremy Condra is involved in TUF also counts for a lot with me
> (as I suspect it would for many people that have heard Geremy talk
> about security issues in Python).
> 
That *is* a big +1 from me; do you think we can loop him into these discussions? If you don't have his email, I do. 
> 
> However, the design itself also seems sensible, and is able to provide
> its security guarantees even if you're *not* using SSL certs to
> protect the in-flight traffic (thus meaning that the SSL
> infrastructure in the near term will become a matter of providing
> defence-in-depth, rather than being a required part of the security
> scheme).
> 
> I trust our collective ability to make TUF sufficiently easy to use as
> part of Python's packaging infrastructure a *lot* more than I trust
> our collective ability to come up with a from-scratch distribution
> scheme that is both usable *and* secure.
> 
> > The site doesn't seem to work for me right now.
> 
> D'oh, looks like their domain wasn't set to auto-renew :(
> 
> Cheers,
> Nick.
> 
> -- 
> Nick Coghlan | ncoghlan at gmail.com (mailto:ncoghlan at gmail.com) | Brisbane, Australia
> _______________________________________________
> Catalog-SIG mailing list
> Catalog-SIG at python.org (mailto:Catalog-SIG at python.org)
> http://mail.python.org/mailman/listinfo/catalog-sig

More information about the Catalog-SIG mailing list