On Tuesday, February 12, 2019, Eric Peterson < epeterson@interactivebrokers.com> wrote:
[...]. I am wondering if there is a programmatic way to access the SHA-256 for a file (besides just scraping the web page)? Ideally there would be some way to construct a URL based on the name of the file that, when called, would return the fingerprint.
Because you'd be retrieving the SHA-256 over the same channel as the release archive and said checksum is not signed, the SHA-256 should not be considered sufficient for ensuring release integrity. (Because if the bad guy is MITM'ing the release archive retrieval, they could also be MITM'ing the SHA-256 retrieval) Ways to mitigate such risk: - retrieve SHA-256 cryptographic hash checksums over a different channel - cryptographically sign the SHA-256 checksums with a key and retrieve the corresponding key over a different channel Re: GPG and PyPI: https://github.com/pypa/warehouse/issues/3810#issuecomment-405975460 From https://python-security.readthedocs.io/packages.html#pypi :
- PEP 458 – Surviving a Compromise of PyPI (27-Sep-2013) - PEP 480 – Surviving a Compromise of PyPI: The Maximum Security Model (8-Oct-2014) - Making PyPI security independent of SSL/TLS by Nick Coghlan
... The Update Framework (TUF) is in part derived from Thandy (the tor updater). There's an automotive derivative of TUF called Uptane. https://theupdateframework.github.io/ "Roadmap update for TUF support" https://github.com/pypa/warehouse/issues/5247 "TUF deployment roadmap for PyPI" https://github.com/theupdateframework/tuf/issues/816# SHA-256 is not sufficient. GPG was removed because insufficient. Does TUF need funding, person-hours, new code, or code-review?
Thanks, Eric -- Distutils-SIG mailing list -- distutils-sig@python.org To unsubscribe send an email to distutils-sig-leave@python.org https://mail.python.org/mailman3/lists/distutils-sig.python.org/ Message archived at https://mail.python.org/archives/list/distutils-sig@ python.org/message/FLNOENK2525RMHGL7SV2SBUXKSOJHSEZ/