RE: [Distutils] PGP keys required? (Re: PEP 243)
From: Keith Jackson [mailto:krjackson@lbl.gov]
A single S/MIME email from you or Jack would totally suffice for me for the short term. That way I could look in the archive, verify the sig, and know that the hashes are valid. (Assuming you and Jack aren't really black hats. :)
Ironically, that message just came through with an "invalid digital signature" warning. I've no idea what Outlook (yes, I know, so sue me) considers in making this judgement, but I no longer trust anything you say, in case you are not who you say you are :-) On a more serious note, this demonstrates why I don't trust digital signatures much. Unless this really *was* someone else masquerading as Keith, what do I do? I've never seen a genuinely hacked download, to my knowledge, but I *have* seen warnings and errors from invalid signatures. So ignoring signature errors is the correct approach, based on the evidence I have encountered! I'm not trying to argue the case, just to demonstrate how the world looks from the POV of security-naive people like me... Paul.
Moore, Paul wrote:
From: Keith Jackson [mailto:krjackson@lbl.gov]
A single S/MIME email from you or Jack would totally suffice for me
for
the short term. That way I could look in the archive, verify the sig, and know that the hashes are valid. (Assuming you and Jack aren't really black hats. :)
Ironically, that message just came through with an "invalid digital signature" warning. I've no idea what Outlook (yes, I know, so sue me) considers in making this judgement, but I no longer trust anything you say, in case you are not who you say you are :-)
FWIW, the PSF will start creating a web of trust which should allow you to trust signatures if you see them on the web without actually knowing the person owning the signature.
On a more serious note, this demonstrates why I don't trust digital signatures much. Unless this really *was* someone else masquerading as Keith, what do I do? I've never seen a genuinely hacked download, to my knowledge, but I *have* seen warnings and errors from invalid signatures. So ignoring signature errors is the correct approach, based on the evidence I have encountered!
I'm not trying to argue the case, just to demonstrate how the world looks from the POV of security-naive people like me...
Perhaps distutils should simply start to add MD5 or SHA hash sums of the created archives to the meta-data which gets uploaded to e.g. PyPI. That way, the user can easily see whether a mirror has the correct packages or not. Better than nothing, I'd say, and easy to implement even without having to go through all the PKI stuff :-) -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Feb 03 2004)
Python/Zope Consulting and Support ... http://www.egenix.com/ mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
2004-01-23: Released mxODBC.Zope.DA 1.0.8 http://zope.egenix.com/ ::: Try mxODBC.Zope.DA for Windows,Linux,Solaris,FreeBSD for free ! ::::
On Feb 3, 2004, at 2:01 AM, M.-A. Lemburg wrote:
Perhaps distutils should simply start to add MD5 or SHA hash sums of the created archives to the meta-data which gets uploaded to e.g. PyPI. That way, the user can easily see whether a mirror has the correct packages or not. Better than nothing, I'd say, and easy to implement even without having to go through all the PKI stuff :-)
I'm all in favor of associating hashes with all packages that get uploaded. My real question is how do we prevent a black hat from uploading a new version of M2Crypto, or PyOpenSSL that has been trojaned. As long as they changed the hash values, and I haven't cached them locally, I'd have no way of knowing. I can point to real examples of this happening in the open-source world. It would be fine with me if we could come up with a scheme where only package authors and the PyPI people need to deal with PKI. As part of the upload I could sign a copy of the SHA1 hash value for the package. This could be a detached PGP sig, an S/MIME sig, I don't care, although I think PGP would probably be best for our community. The PyPI could have a key, and then do signing BoF's at OSCON and PyCon, etc. I don't think this should be mandatory today, but I would hate to see us design a system that wouldn't support rudimentary security. I think we do it so only the hashes are used for now by actual users. That way we avoid any export laws and other such nonsense. All the PGP stuff could be done at the cli, or as part of the auto submission process. --keith
participants (3)
-
Keith Jackson -
M.-A. Lemburg -
Moore, Paul