[Catalog-sig] Use user-specific site-packages by default?
Giovanni Bajo
rasky at develer.com
Tue Feb 5 15:41:31 CET 2013
Il giorno 05/feb/2013, alle ore 15:34, Daniel Holth <dholth at gmail.com> ha scritto:
> On Tue, Feb 5, 2013 at 9:28 AM, Donald Stufft <donald.stufft at gmail.com> wrote:
> On Tuesday, February 5, 2013 at 9:24 AM, Daniel Holth wrote:
>> As long as you are trusting PyPI itself, a PyPI-hosted/signed/timestamped SHA2 hash of the file to be downloaded from an external host would be enough to detect tampering over time.
>
> You could do this, still lowers the overall availability of the system which kinda sucks, and
> to actually be sane and secure you'd still need to rework the current method of trolling for external
> urls.
>>
>> pip could come with a copy of PyPI's ssl certificate, verifying that it was identical to the expected cert rather than signed by one of 100s of trusted CAs.
>
> That loses the ability to change PyPI's SSL cert, basically forever and still doesn't protect MITM against
> someone logging into PyPI through a browser.
>
> Or it could just notify you whenever the SSL certificate changed. http://tack.io/ lets a site sign its SSL certificate with a key that doesn't change. Of course doing SSL at all is the priority.
The point is that it's not important to get there in the first place. If you want to solve this additional problem (CA vulnerabilites), then there is no reason why pip should use a SSL endpoint with a certificate singed by a public, global CA. Global CAs are used for browsers. pip could connect and use to a SSL webservice using a self-signed CA, and pin that CA forever.
My position on the matter is that this issue should be rediscussed after we fix the major problems, one of which is the fact that pip is using HTTP and not HTTPS. There is a pull request here:
https://github.com/pypa/pip/pull/789
--
Giovanni Bajo :: rasky at develer.com
Develer S.r.l. :: http://www.develer.com
My Blog: http://giovanni.bajo.it
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130205/22d2962c/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4346 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130205/22d2962c/attachment-0001.bin>
More information about the Catalog-SIG
mailing list