[Python-Dev] Yearly PyPI breakage

Glyph glyph at twistedmatrix.com
Tue May 3 20:56:13 EDT 2016 

On May 3, 2016, at 2:38 PM, Stefan Krah <stefan at bytereef.org> wrote:
> 
> But making them completely unreachable does not increase reliability. :)

But it does increase security.

The other motivation, besides reliability, listed in this section <https://www.python.org/dev/peps/pep-0470/#my-users-have-a-worse-experience-with-this-pep-than-before-how-do-i-explain-that>, is that:

"transparently including external links [is] a security hazard (given that in most cases it allowed a MITM to execute arbitrary Python code on the end users machine)".

And, indeed, the URL presently listed on PyPI for the cdecimal upload is an unverified http URL.  This means that any evil barista with access to a coffee-shop wifi router could instantly execute user-privileged code on any Python programmer's laptop if they were to `pip install´ this externally hosted package, which is one of the reasons why neither `pip´ nor `pypi´ allow such a thing any more.

Please believe me when I say I do not mean the following to be insulting - information security is incredibly confusing, difficult, and rapidly evolving, and I don't blame you for getting it wrong - but maintaining a popular package in this way is dangerously irresponsible.  There are solid social reasons to centralize the control of the default package repository in the hands of dedicated experts who can scale their security expertise to a large audience, so that package authors like you and I don't need to do this in order to prevent Python from gaining a reputation as a vector for malware; this package is a case in point.

Separately from the issue of how PyPI works, even if you have some reason you need to host it externally (which I seriously doubt), please take the trouble to set up a server with properly verified TLS, or use a '.github.io' hostname that can be verified that way.

In the meanwhile, just to demonstrate that it's a trivial amount of work to just host it on PyPI, I checked out this package via a verified mechanism ("git clone https://github.com/bytereef/bytereef.github.io") and created a new pypi-cdecimal package <https://pypi.python.org/pypi/pypi-cdecimal <https://pypi.python.org/pypi/pypi-cdecimal>>, via editing the setup.py to change the name, 'python setup.py register', 'python setup.py sdist', 'pip wheel' (for some reason direct 'python setup.py bdist_wheel' didn't work), and 'twine upload'.  `pip install pypi-cdecimal´ should now work and get you an importable `cdecimal´, and if you happen to be lucky enough to run the same OS version I am, you won't even need to build C code.  cdecimal users may wish to retrieve it via this mechanism until there's a secure way to get the proper upstream distribution.

If anyone wants package-index access to this name to upload Windows or manylinux wheels just let me know; however, as this is just a proof of concept, I do not intend to maintain it long-term.

-glyph

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20160503/6a6020aa/attachment-0001.html>

More information about the Python-Dev mailing list