[Catalog-sig] Use user-specific site-packages by default?
holger krekel
holger at merlinux.eu
Tue Feb 5 15:53:52 CET 2013
On Tue, Feb 05, 2013 at 15:46 +0100, Giovanni Bajo wrote:
> Il giorno 05/feb/2013, alle ore 15:06, Holger Krekel <holger.krekel at gmail.com> ha scritto:
>
> > In the end, however, none of this prevents MITM attacks between a downloader and pypi.python.org. Or between the uploader and pypi.python.org (using basic auth over http often). Signing methods like https://wiki.archlinux.org/index.php/Pacman-key are key. If a signature is available (also at a download_url site), then we can exclude undetected tampering. And there might not be a need to break currently working package releases.
>
> A signature is not enough; if you don't have a secure channel,
> signatures can be replayed. Eg: if you install through an unsecure
> channel and you just verify GPG signatures on the package, I can MITM
> you and serve you an older, vulnerable package version (with its
> correct signature), and then go exploit that vulnerability.
Point taken. I guess unless someone sits down and writes a PEP-ish path for
fortification, it's gonna be hard to assess viability and resilience
against the several attack vectors which should be sorted/prioritized.
Or is somebody on that already? (there were hints of some background
discussions - not sure that's helping much as most attack vectors against
the python packaging ecosystem are kind of well known or easy to guess after
a bit of research and experimentation).
best,
holger
> --
> Giovanni Bajo :: rasky at develer.com
> Develer S.r.l. :: http://www.develer.com
>
> My Blog: http://giovanni.bajo.it
>
>
>
>
>
> _______________________________________________
> Catalog-SIG mailing list
> Catalog-SIG at python.org
> http://mail.python.org/mailman/listinfo/catalog-sig
More information about the Catalog-SIG
mailing list