[Distutils] Malicious packages on PyPI

Pandu Poluan pepoluan at gmail.com
Thu Jun 1 23:46:34 EDT 2017 

+1 for transitive trust.

At the base/simplest level, `pip` would trust any packages trusted by PyPI.

More advanced users / more security-oriented installation can add
additional "required trusts".

Maybe another special "PyPI Curator" pseudo-user. All packages whose
signing key is trusted by PyPI *and* PyPI Curator can be deemed trustworthy.

And if in a highly secure environment, probably internal curators. Which
means that installation of packages will require three (or more) trusts:
PyPI, PyPI Curator, curator-1 at example.com, curator-2 at example.com, etc.

(The relationship need not be simple boolean AND, but can also be
implemented as a score system. For examply, PyPI has weight 0.5, PyPI
Curator has weight 1.0, internal company curators have weights 2.0 (> PyPI
+ PyPI Curator), and minimum acceptable score is 5.5, meaning that the
package must be trusted by PyPI, PyPI Curator, and at least 2 internal
company curators.)

We can even create multiple levels of "PyPI Curator":

* PyPI Trusted Authors -- automagically trust well-known 'authors'
* PyPI Voted Trust -- packages voted by a committee (or by minimum N users)
to be trustworthy
* PyPI Audited Trust -- packages that had gone through a more thorough code
audit / code review


Rgds,
--


FdS Pandu E Poluan
~ IT Optimizer ~

 • LOPSA Member #15248
 • Blog : http://pandu.poluan.info/blog/
 • Linked-In : http://id.linkedin.com/in/pepoluan

On Fri, Jun 2, 2017 at 9:33 AM, Matt Joyce <matt at nycresistor.com> wrote:

> I was more pushing for the transitive trust element than signing.  That
> being said, any signing at all would be progress.
>
> On Jun 1, 2017 9:07 PM, "Donald Stufft" <donald at stufft.io> wrote:
>
>
> On Jun 1, 2017, at 8:15 PM, Matt Joyce <matt at nycresistor.com> wrote:
>
> Or start doing signed pgp for package maintainers and build a transitive
> trust model.
>
>
>
> PGP is not useful for our use case except as a generic crypto primitive,
> and there are better generic crypto primitives out there. See
> https://caremad.io/posts/2013/07/packaging-signing-not-holy-grail/
>
>
>> Donald Stufft
>
>
>
>
>
> _______________________________________________
> Distutils-SIG maillist  -  Distutils-SIG at python.org
> https://mail.python.org/mailman/listinfo/distutils-sig
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20170602/5d7655ec/attachment-0001.html>

More information about the Distutils-SIG mailing list