[Distutils] PGP keys required? (Re: PEP 243)

[Bob Ippolito]

On Feb 1, 2004, at 8:46 PM, Keith Jackson wrote:

> On Jan 31, 2004, at 2:34 PM, Bob Ippolito wrote:
>
>> On Jan 31, 2004, at 4:59 PM, Keith Jackson wrote:
>>
>>> On Jan 29, 2004, at 3:26 AM, Bob Ippolito wrote:
>>>
>>>> On Jan 29, 2004, at 6:15 AM, Anthony Baxter wrote:
>>>
>>> Yes, but I don't think that prevents distutils from running a shell 
>>> command to invoke gpg. I'd really like to see this as an option. As 
>>> soon as people start putting more things up in a repository, the 
>>> more likely it will become that someone tries to trojan things. I'd 
>>> also like to see M2Crypto or pyOpenSSL support for S/MIME sigs.
>>
>> Well, right now there is no repository, PyPI links to the author's 
>> page.  There are repositories for Mac ports, though, but we're not 
>> terribly worried at the moment (I maintain one of them, python.org 
>> has the other maintained by Jack).  The package index has MD5 hashes 
>> and URLs to tarballs (that can be anywhere).  Obviously you have to 
>> trust me or Jack, and the integrity of our servers, but I don't think 
>> that's a huge problem right now.  I do have a CA-signed SSL cert for 
>> pythonmac.org and I could put a package index there.. so you could 
>> verify that there wasn't some sort of spoof or man in the middle 
>> attack, but it just hasn't been worth doing so far.
>
> I'm not concerned about man in the middle attacks. As far as I know, 
> there has never been one documented in the wild. Seems more like 
> something security people like to sit around and worry about. :)
>
> Mostly what I worry about is someone hacking the repository and 
> handing out trojan binaries. This has happened to a number of major 
> sites already, and can cause real problems, e.g., if someone trojans 
> openssl for example. For now, I'm fine with having the md5/sha1 hashes 
> on a different machine then the code. Now a cracker has to get access 
> to both machines. We could even out of band mirror the hashes on other 
> web sites. If I got pgp or s/mime mail from you or Jack, I would put 
> hashes up on a LBNL machine.

The pythonmac-sig proposed-but-nobody-is-working-on-it solution is for 
Jack and I to use some secure mechanism, let's say s/mime or pgp, to 
send the hash of our package *index* every time we make an update.

That way, one hash is sent that confirms the integrity of every hash in 
the index.

>>> Yes, but of course this begs the age old key distribution problem.
>>
>> So does anything else?
>>
>
> :), No it always comes back to bite you. I think we could come up with 
> a scheme that doesn't involve key distribution for more then a few of 
> us. If we want to mirror the hashes of the packages, I think signed 
> mail amongst a small subset of us would work fine.

I'm fine with that, I use a script to update my package index anyways 
(though I suspect Jack might do his by hand ;).  It wouldn't be much 
trouble for me to add the code to send a s/mime email to someone, my 
Mail.app is already configured to use s/mime (though it's off most of 
the time, because of stupid mailing lists and email clients that don't 
like them).

>>> I'm all in favor of some kind of optional support for PGP or S/MIME 
>>> signatures, I exist in an X.509 world, so I could take advantage of 
>>> it for my own work. That said, I think that code integrity in the 
>>> repository is a much bigger issue that authenticating who put the 
>>> code into the repository. (yes i do understand that the sig will 
>>> also handle integrity, but it is probably overkill)
>>>
>>> All a sha1 hash would say is that: The distutils repository only 
>>> contains the code that was legitimately submitted. That doesn't mean 
>>> someone didn't submit a trojan, but it does mean that for major 
>>> projects like wxPython that if the hash verifies then most likely 
>>> things are ok.
>>
>> md5 and sha1 hashes are fine, Python comes with those.. but crypto 
>> isn't really an option because there are people who are concerned 
>> about the associated export/import laws that will not let it go into 
>> mainline Python (I tried).
>
> I think the hashes are great. I would still like to see optional 
> support for some kind of dig sig. This could be completely optional, 
> and require the separate installation of M2Crypto or PyOpenSSL. 
> Mostly, I'd just like to design something that doesn't rule out using 
> digital signatures.

I'd like to see it too, the problem is that nobody wants to write the 
code and convince people to put it in Python and use it ;)

>>> Sorry for the long post, but I think if we're going to do a python 
>>> repository, we should be concerned about the integrity of the 
>>> repository.
>>> --keith
>>>
>>> p.s. How does CPAN deal with these issues?
>>
>> They don't, and I haven't really heard of any problems.  From what I 
>> understand, the author uploads a package to PAUSE (w/ a 
>> login/password, probably not even over SSL), and it gets replicated 
>> throughout CPAN in a few hours.
>>
>
> It's a good thing I'm not a cracker. :) That is just frightening to 
> me. I doubt I'll be getting anything from CPAN any longer. I've always 
> thought CPAN was the best part of perl, and I'd sure like to see the 
> python community do something even better. ;)

Yeah, well, most of the software in CPAN is pretty poorly designed 
anyways ;)

-bob