[Distutils] Removing wheel signing features from the wheel library
Trishank Kuppusamy
trishank.kuppusamy at datadoghq.com
Thu Mar 22 16:52:55 EDT 2018
Hi Wes,
On Thu, Mar 22, 2018 at 4:40 PM, Wes Turner <wes.turner at gmail.com> wrote:
>
> The hashes serve as file integrity check but provide no assurance that
> they are what the author intended to distribute because there is no
> cryptographic signature.
>
> File hashes help detect bit flips -- due to solar flares -- in storage or
> transit, but do not mitigate against malicious package modification to
> packages in storage or transit.
>
> AFAIU, TUF (The Update Framework) has a mechanism for limiting which
> signing keys are valid for which package? Are pre-shared keys then still
> necessary, or do we then rely on a PKI where one compromised CA cert can
> then forge any other cert?
>
Yes, you are right, the hashes need to be signed: otherwise you have
integrity, but no authenticity.
We wrote PEPs 458 <https://www.python.org/dev/peps/pep-0458/> and 480
<https://www.python.org/dev/peps/pep-0480/> to discuss how TUF might be
deployed on PyPI / Warehouse. The PEPs go into details about public key
distribution. The TLDR is that is that clients (i.e., pip) need to be
shipped with one self-signed root metadata file, and the rest of the PKI is
bootstrapped from there. PyPI would act as an authority that distributes,
revokes, and replaces public keys for packages.
More details on security vs usability also available in our Diplomat
<https://www.usenix.org/conference/nsdi16/technical-sessions/presentation/kuppusamy>
paper.
If the community is interested, we'd love to discuss how we could help make
this happen.
Thanks,
Trishank
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20180322/e9b55d99/attachment.html>
More information about the Distutils-SIG
mailing list