<html><head><meta http-equiv="Content-Type" content="text/html charset=iso-8859-1"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div><div>Il giorno 05/feb/2013, alle ore 15:34, Daniel Holth <<a href="mailto:dholth@gmail.com">dholth@gmail.com</a>> ha scritto:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Tue, Feb 5, 2013 at 9:28 AM, Donald Stufft <span dir="ltr"><<a href="mailto:donald.stufft@gmail.com" target="_blank">donald.stufft@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">
<div><span style="color:rgb(160,160,168)">On Tuesday, February 5, 2013 at 9:24 AM, Daniel Holth wrote:</span></div><blockquote type="cite" style="border-left-style:solid;border-width:1px;margin-left:0px;padding-left:10px">
<span><div dir="ltr">As long as you are trusting PyPI itself, a PyPI-hosted/signed/timestamped SHA2 hash of the file to be downloaded from an external host would be enough to detect tampering over time.<br>
</div></span></blockquote></div><div>You could do this, still lowers the overall availability of the system which kinda sucks, and</div><div>to actually be sane and secure you'd still need to rework the current method of trolling for external</div>
<div>urls.</div><div class="im"><blockquote type="cite" style="border-left-style:solid;border-width:1px;margin-left:0px;padding-left:10px"><span><div dir="ltr"><div>
<br></div><div>pip could come with a copy of PyPI's ssl certificate, verifying that it was identical to the expected cert rather than signed by one of 100s of trusted CAs.<br></div></div></span></blockquote>
</div><div>That loses the ability to change PyPI's SSL cert, basically forever and still doesn't protect MITM against</div><div>someone logging into PyPI through a browser. </div></blockquote><div><br></div><div>Or it could just notify you whenever the SSL certificate changed. <a href="http://tack.io/">http://tack.io/</a> lets a site sign its SSL certificate with a key that doesn't change. Of course doing SSL at all is the priority.<br>
</div></div></div></div></blockquote></div><div><br></div><div>The point is that it's not important to get there in the first place. If you want to solve this additional problem (CA vulnerabilites), then there is no reason why pip should use a SSL endpoint with a certificate singed by a public, global CA. Global CAs are used for browsers. pip could connect and use to a SSL webservice using a self-signed CA, and pin that CA forever.</div><div><br></div><div>My position on the matter is that this issue should be rediscussed after we fix the major problems, one of which is the fact that pip is using HTTP and not HTTPS. There is a pull request here:</div><div><a href="https://github.com/pypa/pip/pull/789">https://github.com/pypa/pip/pull/789</a></div><div><br></div><div apple-content-edited="true">
<span class="Apple-style-span" style="border-collapse: separate; border-spacing: 0px; "><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div>-- </div><div>Giovanni Bajo :: <a href="mailto:rasky@develer.com">rasky@develer.com</a><br>Develer S.r.l. :: <a href="http://www.develer.com/">http://www.develer.com</a><br><br>My Blog: <a href="http://giovanni.bajo.it/">http://giovanni.bajo.it</a></div><div><br></div></div></span></div></span><br class="Apple-interchange-newline"></span><br class="Apple-interchange-newline">
</div>
<br></body></html>