[Catalog-sig] Proposal: Move PyPI static data to the cloud for better availability

[Justin Cappos]

On Tue, Jun 15, 2010 at 11:09 PM, "Martin v. Löwis" <martin at v.loewis.de> wrote:
>> I'm not clear on this and the document is a little vague, so perhaps
>> I should be perusing the source, but if you don't protect against a
>> serverkey MITM and you are supposed to update the serverkey any
>> time a signature doesn't match up, couldn't an attacker just MITM
>> you, produce a known bad signature, and then wait for you to
>> request a serverkey from them?
>
> That's true; transmission of the serverkey is not currently protected
> against MITM. How would you suggest to fix that?

A simple way to protect against just the issue you mentioned is to
have the clients retrieve the key over HTTPS or distribute the key
with the client.

In general, the problems are much, much trickier than just this.   I
won't bore you with all of the details (unless you'd like to know
more), but we found and fixed a lot of problems with the security of
linux package managers.   A quick pointer to some of the technical
details can be found here:
http://www.cs.arizona.edu/stork/packagemanagersecurity/papers.html

> As for perusing the source: the client behavior is not implemented yet, so
> there isn't really any source to check, yet.

Okay.   We'd be happy to work with you to get an easy solution put in
place.   As I was shamelessly plugging before, we've been working on a
library called TUF that is supposed to make this as simple as possible
for whomever maintains the repository and be completely transparent
for the clients.

TUF is fairly early stage (our first major deployment is on going),
but might be worth consideration.   I think we could probably put
together a quick demo so that you and others could see how it might
work with one of the existing client updaters.

Thanks,
Justin