[Catalog-sig] A modest proposal for securing PyPI with TUF

[Nick Coghlan]

On Tue, Mar 12, 2013 at 11:41 PM, Trishank Karthik Kuppusamy
<tk47 at students.poly.edu> wrote:
> Hello everyone,
>
> I am pleased to announce our demonstration of PyPI and pip with TUF.
>
> Firstly, we solicit your thoughts and comments on our design document for
> integrating PyPI with TUF:
>
> https://docs.google.com/document/d/1sHMhgrGXNCvBZdmjVJzuoN5uMaUAUDWBmn3jo7vxjjw/edit?usp=sharing

Thanks for putting this together!

Just a few notes regarding key management:
- the PSF board generally stays out of the technical details of
running the python.org infrastructure, so it's likely that any root
keys would be handled by the PSF infrastructure committee. A (2, 4) or
(3, 5) trust configuration would likely be manageable at this level.
- at the target delegation level, PyPI supports the registration of
new projects through the web service (see
http://docs.python.org/2/distutils/packageindex.html). If my
understanding of target delegation is correct, this means the "simple"
and "packages/source/<letter>" delegations will need to be (1, 1) and
online.
- higher levels of the target delegation hierarchy could conceivably
be kept offline, but there seems little value in doing so if they're
trusting on online (1, 1) key
- many PyPI packages are maintained by single developers, so (1, 1) or
(1, n) is likely to be the only generally feasible level of signing at
the project level.

With the current focus being on getting an improvement from the status
quo that we can successfully deploy in a reasonable period of time,
the target delegation side of things probably needs to be
substantially simpler in the initial iteration. Yes, it leaves us open
to certain vulnerabilities we would like to remove in the long run,
but we need to be very cautious in the additional demands we place on
the users uploading to PyPI. It may even mean the initial iteration
allows projects to rely on a PyPI provided signing key for their TUF
metadata, using the existing upload mechanisms to add the files to
PyPI.

Regards,
Nick.

-- 
Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia