[Distutils] What to do about the PyPI mirrors

Donald Stufft donald at stufft.io
Tue Aug 6 09:23:44 CEST 2013 

On Aug 6, 2013, at 3:15 AM, martin at v.loewis.de wrote:

> 
> Quoting Nick Coghlan <ncoghlan at gmail.com>:
> 
>> On 6 August 2013 16:09, Christian Theune <ct at gocept.com> wrote:
>>> Hi,
>>> 
>>> 
>>> looks like I'm late to the party to figure out that I'm going to be hurt
>>> again.
>> 
>> That's why I asked for this to be put through the PEP process: to give
>> it more visibility, and provide more opportunity for people
>> potentially affected to have a chance to comment and offer
>> alternatives. Giving third parties the opportunity to read python.org
>> cookies indefinitely isn't an option.
> 
> Define "third party". There are a number of organisations other than the
> PSF that can read python.org cookies.
> 
> As Noah explains, it's a matter of trust. Noah chooses to trust Fastly,
> I choose to trust Christian Theune. We both have then imposed our trust
> on the community.

Sure, but there's also a matter of the *number* of people trusted each new
person to trust is another potential pain point. There's really no requirement
to have the mirrors hosted on N.pypi.python.org. The fact they do is a legacy
issue that can be corrected with a much better story for reliability and security.

> 
> In any case, I consider the cookie issue a red herring. Mirror operators
> could only steal cookies if users actually pointed their web browsers to
> the mirrors. They typically don't, since they use setuptools or pip,
> which doesn't even have access to the cookies. And, if a mirror operator
> actually does request cookies, there is a high risk in being caught in
> doing so. If that happens, the mirror operator will not only lose the mirror,
> but also lose community trust.

The cookie issue is very serious because it does not require someone to
knowingly point their browser at N.pypi.python.org. A mirror operator
could simply inline an image tag in a package, someone views the package
page, and automatically makes a request to N.pypi.python.org which is
sent the cookie and a script on N.pypi.python.org can read it.

Also the claim that there is a high risk in being caught, there isn't really. It
would be very easily to do this near silently.

> 
> Regards,
> Martin
> 
> 
> _______________________________________________
> Distutils-SIG maillist  -  Distutils-SIG at python.org
> http://mail.python.org/mailman/listinfo/distutils-sig


-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130806/c4d65776/attachment-0001.pgp>

More information about the Distutils-SIG mailing list