[Python-Dev] pip: cdecimal an externally hosted file and may be unreliable [sic]
Stefan Krah
stefan at bytereef.org
Thu May 8 17:34:54 CEST 2014
Donald Stufft <donald at stufft.io> wrote:
> > Today I've switched to manual install mode with manual sha256sum verification
> > which is *far* safer than anything you get via pip right now.
>
> It is not safer in any meaingful way.
>
> If someone is in a position to compromise the integrity of PyPI's TLS, they
> can replace the hash on that page with something else. Now you've attempted to
> work around this by telling people to go look up the release announcement
> hash. However if someone can compromise the integrity of PyPI's TLS, they can
> also compromise the integrity of https://mail.python.org/, or GMane, or any
> other TLS based website[1].
Of course it is safer. Suppose a file is stored on PyPI:
1) Attacker guesses my username (or is it even visible, I'm not sure).
2) Clicks on "lost login".
3) Intercepts mail (difficult, but far from the TLS attack category).
Maybe on a home or university network. Or a rogue person at a
mail provider.
4) Changes the uploaded file together with the hash.
pip would be perfectly happy, checking the hash via Google would turn
up a mismatch.
Stefan Krah
More information about the Python-Dev
mailing list