From guido@python.org Thu Mar 7 01:14:07 2002
From: guido@python.org (Guido van Rossum)
Date: Wed, 06 Mar 2002 20:14:07 -0500
Subject: [Catalog-sig] Chris Liechti: dead link
Message-ID: <200203070114.g271E7H18216@pcp742651pcs.reston01.va.comcast.net>
Does anybody know a substitute link?
--Guido van Rossum (home page: http://www.python.org/~guido/)
------- Forwarded Message
Date: Thu, 07 Mar 2002 00:35:23 +0100
From: Chris Liechti <cliechti@gmx.net>
To: webmaster@python.org
Subject: dead link
on this catalog-sig page:
http://python.org/sigs/catalog-sig/others.html
the debian link is dead:
http://www.debian.org/doc/packaging-manuals/packaging.html/
the directory still exists but there is no packaging.html
chris
------- End of Forwarded Message
From lac@strakt.com Thu Mar 7 19:38:31 2002
From: lac@strakt.com (Laura Creighton)
Date: Thu, 7 Mar 2002 20:38:31 +0100
Subject: [Catalog-sig] dead link about Debian packages
Message-ID: <200203071938.g27JcVls018889@ratthing-b246.strakt.com>
This is a link to the FAQ about Debian packages:
http://www.debian.org/doc/FAQ/ch-pkg_basics.html
Be warned: Here is the last entry in its entirity:
6.15 How do I create Debian packages myself?
For more detailed description on this, read the New Maintainers' Guide, available in the maint-guide package, or at
ftp://ftp.debian.org/debian/doc/package-developer/maint-guide.html.tar.gz.
I think that it is a copy of that guide that you really want to link to.
That is Here:
http://www.debian.org/doc/maint-guide/index.html#copyright
This last thing is what I think the python page should link to. But I never
saw what was the link before, so I have no idea whether this is a replacement
link to the one that was lost, or just the definitive link on how to make
debian packages.
Laura Creighton
From k_vertigo@yahoo.com Sun Mar 10 04:04:08 2002
From: k_vertigo@yahoo.com (Kapil Thangavelu)
Date: Sat, 9 Mar 2002 20:04:08 -0800 (PST)
Subject: [Catalog-sig] dead link about Debian packages
In-Reply-To: <200203071938.g27JcVls018889@ratthing-b246.strakt.com>
Message-ID: <20020310040408.89738.qmail@web11606.mail.yahoo.com>
i think a link to
http://www.debian.org/doc/packaging-manuals/developers-reference/
might be more appropriate if only because it discusses
in more depth the workings of the debian repository.
cheers
kapil
--- Laura Creighton <lac@strakt.com> wrote:
> This is a link to the FAQ about Debian packages:
> http://www.debian.org/doc/FAQ/ch-pkg_basics.html
>
> Be warned: Here is the last entry in its entirity:
>
>
> 6.15 How do I create Debian packages myself?
>
> For more detailed description on this, read the New
> Maintainers' Guide, available in the maint-guide
> package, or at
>
ftp://ftp.debian.org/debian/doc/package-developer/maint-guide.html.tar.gz.
>
>
> I think that it is a copy of that guide that you
> really want to link to.
>
> That is Here:
>
http://www.debian.org/doc/maint-guide/index.html#copyright
>
> This last thing is what I think the python page
> should link to. But I never
> saw what was the link before, so I have no idea
> whether this is a replacement
> link to the one that was lost, or just the
> definitive link on how to make
> debian packages.
>
> Laura Creighton
>
> _______________________________________________
> Catalog-sig mailing list
> Catalog-sig@python.org
> http://mail.python.org/mailman/listinfo/catalog-sig
__________________________________________________
Do You Yahoo!?
Try FREE Yahoo! Mail - the world's greatest free email!
http://mail.yahoo.com/
From k_vertigo@yahoo.com Sun Mar 10 22:42:48 2002
From: k_vertigo@yahoo.com (Kapil Thangavelu)
Date: Sun, 10 Mar 2002 14:42:48 -0800 (PST)
Subject: [Catalog-sig] repository security concerns
Message-ID: <20020310224248.89917.qmail@web11606.mail.yahoo.com>
hi folks,
one of my biggest concerns with a python-repository is
dealing with security, as the repository is enabling
of a framework of automatic installation of software
and will also tend to serve as a primary source of
python packages for manual installations.
i'm interested in attempts to make some sort of
end-to-end (uploader->downloader) security checks. but
i don't want to increase developer overhead more than
what people are willing to do.
so here's a first attempt at a model.
uploaders will have a copy of their public keys stored
on the repository. a new distribution files should
have their checksums signed and uploaded as well. all
uploading should take place over ssl. a file, its
signature, and the public key of the uploader will be
made available for download for verification by the
end user or an automated tool.
is there an easier way to try and insure end-to-end
security or are there flaws in the above model? does
it require too much of the developer? should the
repository even be attempting to be secure?
thanks
kapil thangavelu
__________________________________________________
Do You Yahoo!?
Try FREE Yahoo! Mail - the world's greatest free email!
http://mail.yahoo.com/
From DavidA@ActiveState.com Sun Mar 10 23:00:08 2002
From: DavidA@ActiveState.com (David Ascher)
Date: Sun, 10 Mar 2002 15:00:08 -0800
Subject: [Catalog-sig] repository security concerns
References: <20020310224248.89917.qmail@web11606.mail.yahoo.com>
Message-ID: <3C8BE578.B3EEFCED@ActiveState.com>
> one of my biggest concerns with a python-repository is
> dealing with security, as the repository is enabling
> of a framework of automatic installation of software
> and will also tend to serve as a primary source of
> python packages for manual installations.
This appears to be a non-issue in the Perl world. CPAN is a simple FTP
repository, and yet it works. Installing modules from CPAN is a
one-liner in Perl.
My recommendation is to worry about security later, when you have
critical mass. Any stringent security measure you impose now will
dramatically impact your level of acceptance. Keep in mind that doing
SSH'ish things on Windows is much too hard for most people.
It's relatively easy to add a "seal of approval" by a few "authorities"
post-hoc for those users concerned w/ security.
my 2c.
--david
From martin@v.loewis.de Mon Mar 11 04:57:36 2002
From: martin@v.loewis.de (Martin v. Loewis)
Date: 11 Mar 2002 05:57:36 +0100
Subject: [Catalog-sig] repository security concerns
In-Reply-To: <3C8BE578.B3EEFCED@ActiveState.com>
References: <20020310224248.89917.qmail@web11606.mail.yahoo.com>
<3C8BE578.B3EEFCED@ActiveState.com>
Message-ID: <m3ofhv7lbz.fsf@mira.informatik.hu-berlin.de>
David Ascher <DavidA@ActiveState.com> writes:
> > one of my biggest concerns with a python-repository is
> > dealing with security, as the repository is enabling
> > of a framework of automatic installation of software
> > and will also tend to serve as a primary source of
> > python packages for manual installations.
>
> This appears to be a non-issue in the Perl world. CPAN is a simple FTP
> repository, and yet it works. Installing modules from CPAN is a
> one-liner in Perl.
It certainly is an issue. In PAUSE, you need to have a password to
identify yourself as an uploader. Use of secure HTTP for PAUSE is
strongly recommended.
Implementing a password scheme for the Python repository may also be
an option, but I'd prefer signed packages instead, or atleast in
addition.
Regards,
Martin
From akuchlin@mems-exchange.org Mon Mar 11 15:38:54 2002
From: akuchlin@mems-exchange.org (Andrew Kuchling)
Date: Mon, 11 Mar 2002 10:38:54 -0500
Subject: [Catalog-sig] repository security concerns
In-Reply-To: <20020310224248.89917.qmail@web11606.mail.yahoo.com>
References: <20020310224248.89917.qmail@web11606.mail.yahoo.com>
Message-ID: <20020311153854.GA19970@ute.mems-exchange.org>
On Sun, Mar 10, 2002 at 02:42:48PM -0800, Kapil Thangavelu wrote:
>is there an easier way to try and insure end-to-end
>security or are there flaws in the above model? does
>it require too much of the developer? should the
>repository even be attempting to be secure?
It seems reasonable, and could be made fairly simple by just using
GnuPG to do the signature generation and checking. The Python code
could then check if GnuPG is installed, displaying an innocuous "Not
verifying signature" message if it's not, and checking the signature
if it is.
--amk (www.amk.ca)
Oh, my fingers! My arms! My legs! My everything! Argh...
-- The Doctor, in "Nightmare of Eden"
From DavidA@ActiveState.com Mon Mar 11 17:49:07 2002
From: DavidA@ActiveState.com (David Ascher)
Date: Mon, 11 Mar 2002 09:49:07 -0800
Subject: [Catalog-sig] repository security concerns
References: <20020310224248.89917.qmail@web11606.mail.yahoo.com> <20020311153854.GA19970@ute.mems-exchange.org>
Message-ID: <3C8CEE13.1B26BCFD@activestate.com>
Andrew Kuchling wrote:
> It seems reasonable, and could be made fairly simple by just using
> GnuPG to do the signature generation and checking. The Python code
> could then check if GnuPG is installed, displaying an innocuous "Not
> verifying signature" message if it's not, and checking the signature
> if it is.
Whatever you do, my suggestion is to make sure the process works for
Unix, Windows and Mac users. Sourceforge, for example, is a real pain
to setup for non-Unixers. Until recently, there wasn't even good key
generations software for Windows. That's apparently been fixed in
recent versions of the putty et al. software.
I don't know anything about GnuPG in that (or any other) respect =).
--david
From zen@shangri-la.dropbear.id.au Thu Mar 14 00:53:35 2002
From: zen@shangri-la.dropbear.id.au (Stuart Bishop)
Date: Thu, 14 Mar 2002 11:53:35 +1100
Subject: [Catalog-sig] repository security concerns
Message-ID: <EA188696-36E5-11D6-A4B4-000393031882@shangri-la.dropbear.id.au>
> uploaders will have a copy of their public keys stored
> on the repository. a new distribution files should
> have their checksums signed and uploaded as well. all
> uploading should take place over ssl. a file, its
> signature, and the public key of the uploader will be
> made available for download for verification by the
> end user or an automated tool.
There is a flaw here - if an attacker can corrupt a file
on the server or between the server and a client, they
can also do so with the developers key. Also, if I
download a trojan version of Numeric from the catalog,
it will still be signed by the key of the uploader and
perfectly valid. It would be impossible for the client
to know that the key belongs to a hacker.
It would be perfectly valid to reveal the SHA-1 hash
of a file, so that a client can confirm the validity
of a file *with a different mirror* to avoid using a
corrupt version. This would reduce attack points to
the master server that allows uploading of new files.
--
Stuart Bishop <zen@shangri-la.dropbear.id.au>
http://shangri-la.dropbear.id.au/
From martin@v.loewis.de Thu Mar 14 07:28:48 2002
From: martin@v.loewis.de (Martin v. Loewis)
Date: 14 Mar 2002 08:28:48 +0100
Subject: [Catalog-sig] repository security concerns
In-Reply-To: <EA188696-36E5-11D6-A4B4-000393031882@shangri-la.dropbear.id.au>
References: <EA188696-36E5-11D6-A4B4-000393031882@shangri-la.dropbear.id.au>
Message-ID: <m3ofhr8v67.fsf@mira.informatik.hu-berlin.de>
Stuart Bishop <zen@shangri-la.dropbear.id.au> writes:
> It would be perfectly valid to reveal the SHA-1 hash
> of a file, so that a client can confirm the validity
> of a file *with a different mirror* to avoid using a
> corrupt version. This would reduce attack points to
> the master server that allows uploading of new files.
Having the public key of the uploader on a different mirror achieves
the same trust.
Regards,
Martin
From k_vertigo@yahoo.com Tue Mar 19 00:57:24 2002
From: k_vertigo@yahoo.com (Kapil Thangavelu)
Date: Mon, 18 Mar 2002 16:57:24 -0800 (PST)
Subject: [Catalog-sig] repository security concerns
In-Reply-To: <m3ofhv7lbz.fsf@mira.informatik.hu-berlin.de>
Message-ID: <20020319005724.58542.qmail@web11602.mail.yahoo.com>
--- "Martin v. Loewis" <martin@v.loewis.de> wrote:
>
> Implementing a password scheme for the Python
> repository may also be
> an option, but I'd prefer signed packages instead,
> or atleast in
> addition.
i think in deference to mac and windows users, it
would be best to make uploading of signed packages
optional. part of my concern over having signed
packages and security in general is not offering a
false sense of security, because real security is hard
to do. not to say that i think security should be
ignored, i definitely want to make a good effort on
making a catalog secure.
wrt to separate python repository logins, for gideon,
a separate password scheme is in order to create a
community based site, in that although the site
functions in read only mode for anonymous users,
contributing content (packages, reviews, ratings) or
access to certain services (email updates) requires
creating an account. i'm unhappy with the current
login scheme which is based on the zope product
CookieCrumbler (used in zope's CMF) and is insecure,
imo. i'm looking to alter it to one based on the
design below
http://developer.arsdigita.com/doc/security-design.html
and restrict sensitive locations to ssl.
cheers
kapil
__________________________________________________
Do You Yahoo!?
Yahoo! Sports - live college hoops coverage
http://sports.yahoo.com/
From k_vertigo@yahoo.com Tue Mar 19 04:16:40 2002
From: k_vertigo@yahoo.com (Kapil Thangavelu)
Date: Mon, 18 Mar 2002 20:16:40 -0800 (PST)
Subject: [Catalog-sig] gideon snapshot
Message-ID: <20020319041640.37114.qmail@web11606.mail.yahoo.com>
i've uploaded a new snapshot of the python repository
code to
http://www.zope.org/Members/k_vertigo/Products/Gideon
most of the new work has been expanding infrastructure
for additional functionality (tracker, subscriptions)
that i hope will speed development, and refactoring.
full change log @
http://www.zope.org/Members/k_vertigo/Products/Gideon/Changes
i'll be updating the demo site, after i get the
subscription system working.
cheers
kapil
__________________________________________________
Do You Yahoo!?
Yahoo! Sports - live college hoops coverage
http://sports.yahoo.com/