On Tuesday, February 12, 2019, Eric Peterson <epeterson@interactivebrokers.com> wrote:
[...]. I am wondering if there is a programmatic way to access the SHA-256 for a file (besides just scraping the web page)? Ideally there would be some way to construct a URL based on the name of the file that, when called, would return the fingerprint.
Because you'd be retrieving the SHA-256 over the same channel as the release archive and said checksum is not signed, the SHA-256 should not be considered sufficient for ensuring release integrity.
(Because if the bad guy is MITM'ing the release archive retrieval, they could also be MITM'ing the SHA-256 retrieval)
Ways to mitigate such risk:
- retrieve SHA-256 cryptographic hash checksums over a different channel
- cryptographically sign the SHA-256 checksums with a key and retrieve the corresponding key over a different channel
Re: GPG and PyPI:
> - PEP 458 – Surviving a Compromise of PyPI (27-Sep-2013)
> - PEP 480 – Surviving a Compromise of PyPI: The Maximum Security Model (8-Oct-2014)
> - Making PyPI security independent of SSL/TLS by Nick Coghlan
... The Update Framework (TUF) is in part derived from Thandy (the tor updater). There's an automotive derivative of TUF called Uptane.
"Roadmap update for TUF support"
"TUF deployment roadmap for PyPI"
SHA-256 is not sufficient. GPG was removed because insufficient.
Does TUF need funding, person-hours, new code, or code-review?
Thanks,
Eric
--
Distutils-SIG mailing list -- distutils-sig@python.org
To unsubscribe send an email to distutils-sig-leave@python.org
https://mail.python.org/mailman3/lists/distutils-sig.python.org/
Message archived at https://mail.python.org/archives/list/distutils-sig@python.org/message/FLNOENK2525RMHGL7SV2SBUXKSOJHSEZ/