[Distutils] What to do about the PyPI mirrors
Donald Stufft
donald at stufft.io
Tue Aug 6 09:23:44 CEST 2013
On Aug 6, 2013, at 3:15 AM, martin at v.loewis.de wrote:
>
> Quoting Nick Coghlan <ncoghlan at gmail.com>:
>
>> On 6 August 2013 16:09, Christian Theune <ct at gocept.com> wrote:
>>> Hi,
>>>
>>>
>>> looks like I'm late to the party to figure out that I'm going to be hurt
>>> again.
>>
>> That's why I asked for this to be put through the PEP process: to give
>> it more visibility, and provide more opportunity for people
>> potentially affected to have a chance to comment and offer
>> alternatives. Giving third parties the opportunity to read python.org
>> cookies indefinitely isn't an option.
>
> Define "third party". There are a number of organisations other than the
> PSF that can read python.org cookies.
>
> As Noah explains, it's a matter of trust. Noah chooses to trust Fastly,
> I choose to trust Christian Theune. We both have then imposed our trust
> on the community.
Sure, but there's also a matter of the *number* of people trusted each new
person to trust is another potential pain point. There's really no requirement
to have the mirrors hosted on N.pypi.python.org. The fact they do is a legacy
issue that can be corrected with a much better story for reliability and security.
>
> In any case, I consider the cookie issue a red herring. Mirror operators
> could only steal cookies if users actually pointed their web browsers to
> the mirrors. They typically don't, since they use setuptools or pip,
> which doesn't even have access to the cookies. And, if a mirror operator
> actually does request cookies, there is a high risk in being caught in
> doing so. If that happens, the mirror operator will not only lose the mirror,
> but also lose community trust.
The cookie issue is very serious because it does not require someone to
knowingly point their browser at N.pypi.python.org. A mirror operator
could simply inline an image tag in a package, someone views the package
page, and automatically makes a request to N.pypi.python.org which is
sent the cookie and a script on N.pypi.python.org can read it.
Also the claim that there is a high risk in being caught, there isn't really. It
would be very easily to do this near silently.
>
> Regards,
> Martin
>
>
> _______________________________________________
> Distutils-SIG maillist - Distutils-SIG at python.org
> http://mail.python.org/mailman/listinfo/distutils-sig
-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130806/c4d65776/attachment-0001.pgp>
More information about the Distutils-SIG
mailing list