[Catalog-sig] Proposal: Move PyPI static data to the cloud for better availability
geremy condra
debatem1 at gmail.com
Wed Jun 16 19:42:25 CEST 2010
On Wed, Jun 16, 2010 at 2:41 AM, Justin Cappos
<justinc at cs.washington.edu> wrote:
> On Tue, Jun 15, 2010 at 11:09 PM, "Martin v. Löwis" <martin at v.loewis.de> wrote:
>>> I'm not clear on this and the document is a little vague, so perhaps
>>> I should be perusing the source, but if you don't protect against a
>>> serverkey MITM and you are supposed to update the serverkey any
>>> time a signature doesn't match up, couldn't an attacker just MITM
>>> you, produce a known bad signature, and then wait for you to
>>> request a serverkey from them?
>>
>> That's true; transmission of the serverkey is not currently protected
>> against MITM. How would you suggest to fix that?
>
> A simple way to protect against just the issue you mentioned is to
> have the clients retrieve the key over HTTPS or distribute the key
> with the client.
I'd just add that this is not currently as simple as it should be in
Python; by default Python does not check certs for HTTPS
connections, so you can't just feed the correct url into urllib and
be sure you're getting the right answer.
http://bugs.python.org/issue1589
Geremy Condra
More information about the Catalog-SIG
mailing list