<div dir="ltr">FYI: TUF has a custom metadata field in the targets metadata that could potentially be used for this purpose. We can explain more if there is interest...</div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Apr 12, 2018 at 8:26 AM, Nathaniel Smith <span dir="ltr"><<a href="mailto:njs@pobox.com" target="_blank">njs@pobox.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto">From the TUF perspective it seems like it would be straightforward to make the MOTD a "package", whose "contents" is the MOTD text, and that we "upgrade" it to get the latest text before displaying anything.<span class="HOEnZb"><font color="#888888"><div dir="auto"><br></div><div dir="auto">-n</div></font></span></div><div class="HOEnZb"><div class="h5"><br><div class="gmail_quote"><div dir="ltr">On Thu, Apr 12, 2018, 05:10 Nick Coghlan <<a href="mailto:ncoghlan@gmail.com" target="_blank">ncoghlan@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 12 April 2018 at 07:01, Paul Moore <<a href="mailto:p.f.moore@gmail.com" rel="noreferrer" target="_blank">p.f.moore@gmail.com</a>> wrote:<br>
> HTTPS access to the index server is fundamental to pip - if an<br>
> attacker can subvert that, they don't need to mess with a message,<br>
> they can just replace packages. So I don't see that displaying a<br>
> message that's available from that same index server is an additional<br>
> vulnerability, surely? But I'm not a security expert - I'd defer to<br>
> someone like Donald to comment on the security aspects of any proposal<br>
> here.<br>
<br>
Right now it doesn't create any additional vulnerabilities, since<br>
we're relying primarily on HTTPS for PyPI -> installer security.<br>
<br>
However, that changes once PEP 458 gets implemented, as that will<br>
switch the primary package level security mechanism over to TUF, which<br>
includes a range of mechanisms designed to detect tampering with the<br>
link to PyPI (including freeze attacks that keep you from checking for<br>
new packages, or attempting to lie about which versions are<br>
available).<br>
<br>
So the scenario we want to avoid is one where an attacker can present<br>
a notice that says "Please ignore that scary security warning your<br>
installer is giving you, we're having an issue with the metadata<br>
generation process on the server. To resolve the problem, please force<br>
upgrade pip".<br>
<br>
That's a solvable problem (e.g. only check for the MOTD *after*<br>
successfully retrieving a valid metadata file), but it's still<br>
something to take into account.<br>
<br>
Cheers,<br>
Nick.<br>
<br>
-- <br>
Nick Coghlan | <a href="mailto:ncoghlan@gmail.com" rel="noreferrer" target="_blank">ncoghlan@gmail.com</a> | Brisbane, Australia<br>
______________________________<wbr>_________________<br>
Distutils-SIG maillist - <a href="mailto:Distutils-SIG@python.org" rel="noreferrer" target="_blank">Distutils-SIG@python.org</a><br>
<a href="https://mail.python.org/mailman/listinfo/distutils-sig" rel="noreferrer noreferrer" target="_blank">https://mail.python.org/<wbr>mailman/listinfo/distutils-sig</a><br>
</blockquote></div>
</div></div><br>______________________________<wbr>_________________<br>
Distutils-SIG maillist - <a href="mailto:Distutils-SIG@python.org">Distutils-SIG@python.org</a><br>
<a href="https://mail.python.org/mailman/listinfo/distutils-sig" rel="noreferrer" target="_blank">https://mail.python.org/<wbr>mailman/listinfo/distutils-sig</a><br>
<br></blockquote></div><br></div>