PEP 458: Secure transport independent download integrity for PyPI packages
Attacks on software repositories are common, even in organizations with very good security practices__. The resulting repository compromise allows an attacker to edit all files stored on the repository and sign these files using any keys stored on the repository (online keys). In many signing schemes (like TLS), this access allows the attacker to replace files on the repository and make it look like these files are coming from PyPI. Without a way to revoke and replace the trusted private key, it is very challenging to recover from a repository compromise. In addition to the dangers of repository compromise, software repositories are vulnerable to an attacker on the network (MITM) intercepting and changing files. These and other attacks on software repositories are detailed here__. This PEP aims to protect users of PyPI from compromises of the integrity, consistency and freshness properties of PyPI
This is more of a PyPI security discussion than a core Python issue, but I figured I'd bring attention to it anyway: https://discuss.python.org/t/pep-458-surviving-a-compromise-of-pypi/2648/ The PEP authors are revising the proposed summary, title, etc., per https://github.com/secure-systems-lab/peps/blob/c13384a4fac6822626abb7e09ab7... : packages, and enhances compromise resilience, by mitigating key risk and providing mechanisms to recover from a compromise of PyPI or its signing keys. In addition to protecting direct users of PyPI, this PEP aims to provide similar protection for users of PyPI mirrors.
To provide compromise resilient protection of PyPI, this PEP proposes the use of The Update Framework [2]_ (TUF). .....
This PEP describes changes to the PyPI infrastructure that are needed to ensure that users get valid packages from PyPI. ...
__ https://github.com/theupdateframework/pip/wiki/Attacks-on-software-repositor... __ https://theupdateframework.github.io/security.html
Discussion should probably be directed to the Discourse thread at discuss.python.org ; this is just a heads-up. -- Sumana Harihareswara Changeset Consulting sh@changeset.nyc
FYI, BDFL-Delegate Donald Stufft wrote today https://discuss.python.org/t/pep-458-secure-pypi-downloads-with-package-sign... :
It looks like discussion about the actual meat and potatoes of this PEP has petered out. Unless someone has an objection, I intend to accept this PEP on Friday.
participants (1)
-
Sumana Harihareswara