[Distutils] What to do about the PyPI mirrors

Donald Stufft donald at stufft.io
Tue Aug 6 08:47:29 CEST 2013 

On Aug 6, 2013, at 2:31 AM, Noah Kantrowitz <noah at coderanger.net> wrote:

> 
> On Aug 5, 2013, at 11:11 PM, Christian Theune <ct at gocept.com> wrote:
> 
>> Two more things:
>> 
>> why is the CDN not suffering from the security problems you describe for the mirrors?
>> 
>> a) Fastly seems to be the one owning the certificate for pypi.python.org. What?!?
> 
> They have a delegated SAN for it, which digicert (the CA) authorizes with the domain contact (the board in this case).
> 
>> b) What does stop Fastly from introducing incorrect/rogue code in package downloads?
> 
> Basically this one boils down to personal trust from me to the Fastly team combined with the other companies using them being very reputable. At the end of the day, there is not currently any cryptographic mechanism preventing Fastly from doing bad things.

To further expand on this answer, you need to trust *someone*. If we cut out Fastly here you could say, well what prevents Dyn Inc (DNS host) from simply redirecting the DNS to a different host? What prevents OSUOL from simply accessing the machines stored there and doing bad things (™). Hell, how many people here know the entire infrastructure team and has personally decided to trust them?

At the end of the day you need to pick and choose who you trust. Right now we're working on narrowing down the number of people trusted. The Python Infrastructure has decided it is willing to extend trust to Fastly to cover PyPI the same as it was willing to extend trust to Dyn, and OSOUL, and even the members of the Infra team.

Now that being said narrowing the list of people you need to trust is an ongoing goal, and one that isn't going to stop with limiting the number of places able to publish at varying python.org domain names who don't need to be. We're not in a particularly well off position yet but we are getting better all the time.

> 
> --Noah
> 
> _______________________________________________
> Distutils-SIG maillist  -  Distutils-SIG at python.org
> http://mail.python.org/mailman/listinfo/distutils-sig


-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130806/49683870/attachment.pgp>

More information about the Distutils-SIG mailing list