<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>Python dev, and the PSRT is aware that the ssl work needs to be taken care of, in core. 3.3 is already doing things mostly right - those need to be back ported.</div><div><br></div><div>I need to bring this up to the security team; it was part of the working document Christian, Donald stufft, Brett Cannon, I and others have been discussing things on to triage the immediate issues</div><div><br>On Feb 9, 2013, at 7:50 PM, Giovanni Bajo <<a href="mailto:rasky@develer.com">rasky@develer.com</a>> wrote:<br><br></div><blockquote type="cite"><div><meta http-equiv="Content-Type" content="text/html charset=us-ascii"><div><div>To clarify, the specific item that Justin mentioned (urlllb drop-in replacement) is related to a single task (#2) out of 13 in my document. That task is also being separately handled by pip (<a href="https://github.com/pypa/pip/pull/791">https://github.com/pypa/pip/pull/791</a>) and it's almost ready to merged and fixed. The urllib replacement can still be interesting for easy_install though.</div><div><br></div><div>TUF is a more complex framework, and is alternative to several items in my proposal, as far as I can tell. I don't know TUF well enough, though.</div><div><br></div><div>BTW, I would like that, instead of having a urllib replacement that does SSL the way it should be done, the standard urllib did it. So maybe Justin should push it to python-dev instead.</div><div><br></div><div>Il giorno 10/feb/2013, alle ore 00:43, Jesse Noller <<a href="mailto:jnoller@gmail.com">jnoller@gmail.com</a>> ha scritto:</div><br class="Apple-interchange-newline"><blockquote type="cite"><meta http-equiv="content-type" content="text/html; charset=utf-8"><div dir="auto"><div><span style="-webkit-text-size-adjust: auto;">Is what you just said part of </span><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);">Giovanni's proposal he sent for review?</span></div><div style="-webkit-text-size-adjust: auto; "><br>On Feb 9, 2013, at 6:40 PM, Justin Cappos <<a href="mailto:jcappos@poly.edu">jcappos@poly.edu</a>> wrote:<br><br></div><blockquote type="cite" style="-webkit-text-size-adjust: auto; "><div dir="ltr">We're hoping to be able to fix this by interposing on network communications by these tools. The basic idea is that we'll have a replacement for urllib, urllib2, etc. that adds and validates security cleanly. (Note the replacements will only be used in python package managers.) TUF ( <a href="https://www.updateframework.com/">https://www.updateframework.com/</a> ) will correctly validate security metadata and only pass validly signed information to the package manager for installation. <div>
<br></div><div>So the hope is that other than a few lines of code that import the alternative for urllib, urllib2, etc. there won't be any changes. We will be maintaining the security code as a separate project (TUF is used by things other than Python package managers) and will be constantly improving it.</div>
<div><br></div><div style="">Anyways, I won't be able to attend, but I will try to get a student to show a demo in the hallways at PyCon to show what we mean...</div><div><div style=""><br></div><div style="">Thanks,</div>
<div style="">Justin</div></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Sat, Feb 9, 2013 at 6:28 PM, Jesse Noller <span dir="ltr"><<a href="mailto:jnoller@gmail.com" target="_blank">jnoller@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im"><br>
<br>
On Feb 9, 2013, at 6:13 PM, Stephen Thorne <<a href="mailto:stephen@thorne.id.au">stephen@thorne.id.au</a>> wrote:<br>
<br>
> Hello,<br>
><br>
> One of my concerns with the recent pip dramas that have seen some excellent and timely action from catalog-sig and others, is that 'setuptools' is still widely distributed and used instead of distribute/pip.<br>
<br>
</div>Well, lets back up: these aren't pip specific problems: just about every client side tool for installing from pypi suffers from lax security.<br>
<div class="im"><br>
><br>
> Setuptools either needs to be sunset, notices put on pypi, warnings given to its users, out of linux distros, or it has to upgraded to be feature compatible with the security updates.<br>
><br>
> That's a strong statement I've made, but I feel strongly that something has to be done. I would like to solicit opinions here before an action plan is composed.<br>
<br>
</div>This is a bit of a question mark to me: the reality is that easy_install/setup tools usage is probably still dramatically higher than that of more modern tooling. That, and AFAIK, there are still features of them that the alternatives do not support (binary eggs, which are a must for windows).<br>
<br>
This leaves us at the point where they can not be sunset unless the "other tools" grow the features of setuptools/easy_install or we (the collective we) take on the burden of updating that tool chain to support secure installations.<br>
<br>
Just patching them for security fixes seems like an "easy" task; the bigger question is how to do that only without further feature addition and getting a release out the door?<br>
<br>
Jesse<br>
_______________________________________________<br>
Catalog-SIG mailing list<br>
<a href="mailto:Catalog-SIG@python.org">Catalog-SIG@python.org</a><br>
<a href="http://mail.python.org/mailman/listinfo/catalog-sig" target="_blank">http://mail.python.org/mailman/listinfo/catalog-sig</a><br>
</blockquote></div><br></div>
</blockquote></div>_______________________________________________<br>Catalog-SIG mailing list<br><a href="mailto:Catalog-SIG@python.org">Catalog-SIG@python.org</a><br><a href="http://mail.python.org/mailman/listinfo/catalog-sig">http://mail.python.org/mailman/listinfo/catalog-sig</a></blockquote></div><div><br></div><br><div>
<span class="Apple-style-span" style="border-collapse: separate; border-spacing: 0px; "><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div>-- </div><div>Giovanni Bajo :: <a href="mailto:rasky@develer.com">rasky@develer.com</a><br>Develer S.r.l. :: <a href="http://www.develer.com/">http://www.develer.com</a><br><br>My Blog: <a href="http://giovanni.bajo.it/">http://giovanni.bajo.it</a></div><div><br></div></div></span><br class="Apple-interchange-newline"></div></span><br class="Apple-interchange-newline"></span><br class="Apple-interchange-newline">
</div>
<br></div></blockquote></body></html>