Hi, devpi folks! I figure you might want to take a look at the PyPI security PEP currently being discussed, since I could imagine devpi wanting to also add TUF metadata handling for packages, and in case there are interoperability concerns/questions.
https://discuss.python.org/t/pep-458-surviving-a-compromise-of-pypi/2648/
The PEP authors are revising the proposed summary, title, etc., per https://github.com/secure-systems-lab/peps/blob/c13384a4fac6822626abb7e09ab… :
> Attacks on software repositories are common, even in organizations with very
good security practices__. The resulting repository compromise allows an
attacker to edit all files stored on the repository and sign these files using
any keys stored on the repository (online keys). In many signing schemes (like
TLS), this access allows the attacker to replace files on the repository and
make it look like these files are coming from PyPI. Without a way to revoke and
replace the trusted private key, it is very challenging to recover from a
repository compromise. In addition to the dangers of repository compromise,
software repositories are vulnerable to an attacker on the network (MITM)
intercepting and changing files. These and other attacks on software
repositories are detailed here__. This PEP aims to protect users of PyPI from
compromises of the integrity, consistency and freshness properties of PyPI
packages, and enhances compromise resilience, by mitigating key risk and
providing mechanisms to recover from a compromise of PyPI or its signing keys.
In addition to protecting direct users of PyPI, this PEP aims to provide similar
protection for users of PyPI mirrors.
> To provide compromise resilient protection of PyPI, this PEP proposes the use of
The Update Framework [2]_ (TUF). .....
> This PEP describes changes to the PyPI infrastructure that are needed to ensure
that users get valid packages from PyPI. ...
> __ https://github.com/theupdateframework/pip/wiki/Attacks-on-software-reposito…
> __ https://theupdateframework.github.io/security.html
Discussion should probably be directed to the Discourse thread at discuss.python.org ; this is just a heads-up.
--
Sumana Harihareswara
Changeset Consulting
sh(a)changeset.nyc
I'm having trouble with a reverse-proxy config and could use some
assistance.
We have the following setup:
LOAD BALANCER
Accepts requests via the official hostname and HTTPS (port 443)
Forwards requests to Devpi Nginx server
Sends headers X-Forwaded-Port, X-Forwarded-Host, X-Forwarded-Proto matching
the official hostname, HTTPS, and 443.
DEVPI NGINX SERVER
Accepts requests via port 80
Serves requests for +f files directly (works perfectly)
Forwards remaining requests to Devpi Python server
DOES NOT override headers X-Forwaded-Port, X-Forwarded-Host,
X-Forwarded-Proto (I have those proxy_set_header values from the
recommended nginx.conf commented out so that Nginx doesn't override them)
DOES NOT send header X-Outside-Url (I also have that commented out)
The behavior is that all links, CSS tags, and JavaScript tags point to
http://localhost/... instead of https://the.correct.domain.name/...
What do I need to change to make Devpi properly use the X-Forwaded-Port,
X-Forwarded-Host, X-Forwarded-Proto headers coming from the load balancer?
Thanks,
Nick
