[Catalog-sig] Proposal: Move PyPI static data to the cloud for better availability

Justin Cappos justinc at cs.washington.edu
Wed Jun 16 00:32:39 CEST 2010

On Tue, Jun 15, 2010 at 2:55 PM, Jesus Cea <jcea at jcea.es> wrote:
> Hash: SHA1
> On 15/06/10 20:52, Tarek Ziadé wrote:
>> Do you trust the package you are installing more than an "official"
>> mirror ? if so, why ?
> If a package is signed by the author, I only need to "trust" the author.

I think it might not be this simple.   You're still trusting PYPI to
provide you with the latest version of a package.   Absent other
mechanisms, you don't have a way to tell if the file you're being
served is actually a version that is obsolete (possibly due to
security flaws).

Also, in practice many package managers perform dependency resolution
based upon on metadata that isn't signed with the author's GPG key.

Is the plan to use what is proposed in
http://mail.python.org/pipermail/catalog-sig/2009-March/002018.html in
practice?   Is more information available about this?   Does this
protect against man-in-the-middle attacks?

> If a package is not signed in PYPI, I must "trust" the author, PYPI
> admins and pypi machines security.
> If I download from a mirror, with no digital signature, I must trust the
> author, PYPI admins, pypi machines security, mirror admins, mirror
> machine security and mirror replication protocol. And all network
> connections and harddisks in between.
> It is just me, call me paranoid, but I pay close attention to where the
> package being installed by "easy_install" is pulled from. I have
> documented where each package used to live and I check carefully when I
> see an unexpected URL. And I freak out when I package upgrade includes
> new dependencies I haven't seen before.
>> Anyone can upload a package at PyPI with
>>   os.system('rm -rf /')
>> in its setup.py...
> True. And SCARY. Fortunatelly I only install packages I am interested
> in, check signatures, etc. Of course, I can be hacked if the original
> autor put a trojan in the package, or he/she was hacked before. But my
> exposure is smaller that if I must trust too every link in a LONG chain
> of mirrors.
> Just check his link, for a recent example:
> <http://it.slashdot.org/firehose.pl?op=view&type=story&sid=10/06/13/0046256>
> The trojan was not in the original sourcecode, but in an altered mirror
> version.
> Asking for pypi central node to add signatures is a trivial way of
> avoiding this issue. The question is not to trust or not to trust
> mirrors, but that we have technology to be safe even if the mirrors are
> not trusted. I don't NEED to trust you to be safe. I am happy!.

I think there are other subtle issues here dealing with key
revocation, mismatching of package versions, etc.

A lot of these issues are pretty subtle and I'd be happy to talk in
more detail about how one might address them.   In fact, we have a
project that is trying to do so:

Geremy do you want to chime in?


> - --
> Jesus Cea Avion                         _/_/      _/_/_/        _/_/_/
> jcea at jcea.es - http://www.jcea.es/     _/_/    _/_/  _/_/    _/_/  _/_/
> jabber / xmpp:jcea at jabber.org         _/_/    _/_/          _/_/_/_/_/
> .                              _/_/  _/_/    _/_/          _/_/  _/_/
> "Things are not so easy"      _/_/  _/_/    _/_/  _/_/    _/_/  _/_/
> "My name is Dump, Core Dump"   _/_/_/        _/_/_/      _/_/  _/_/
> "El amor es poner tu felicidad en la felicidad de otro" - Leibniz
> Version: GnuPG v1.4.10 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> iQCVAwUBTBf21Jlgi5GaxT1NAQLPngP+NfLf7js3ni9FvoDjkrzOB0AmRIyfmDJm
> tm0wNEVIlTY+d3st76Gd62ET+VxtgNHfWyNQ82Zp0iAISoWlpDyflJlZ1r5oVjAR
> sWOSntdXXZAaaxOkumggi1cHKVCbWAe+62fGctTLWt4QtP4557yJDHZO1LKp1nWe
> qtHX5LyUD5k=
> =yGPk
> _______________________________________________
> Catalog-SIG mailing list
> Catalog-SIG at python.org
> http://mail.python.org/mailman/listinfo/catalog-sig

More information about the Catalog-SIG mailing list