[Catalog-sig] Use user-specific site-packages by default?

Giovanni Bajo rasky at develer.com
Tue Feb 5 16:06:38 CET 2013 

Il giorno 05/feb/2013, alle ore 15:57, Nick Coghlan <ncoghlan at gmail.com> ha scritto:

> On Wed, Feb 6, 2013 at 12:46 AM, Giovanni Bajo <rasky at develer.com> wrote:
>> Il giorno 05/feb/2013, alle ore 15:06, Holger Krekel
>> <holger.krekel at gmail.com> ha scritto:
>> 
>> In the end, however, none of this prevents MITM attacks between a downloader
>> and pypi.python.org.  Or between the uploader and pypi.python.org (using
>> basic auth over http often).  Signing methods like
>> https://wiki.archlinux.org/index.php/Pacman-key are key.  If a signature is
>> available (also at a download_url site), then we can exclude undetected
>> tampering.  And there might not be a need to break currently working package
>> releases.
>> 
>> 
>> A signature is not enough; if you don't have a secure channel, signatures
>> can be replayed. Eg: if you install through an unsecure channel and you just
>> verify GPG signatures on the package, I can MITM you and serve you an older,
>> vulnerable package version (with its correct signature), and then go exploit
>> that vulnerability.
> 
> Don't let perfect become the enemy of better. There are a *truckload*
> of potential vulnerabilities in the way people currently use PyPI, and
> *all* of them need to be addressed over time. It's great that the
> problems with rubygems and the published MITM attack on PyPI have
> drawn attention to these issues, but it's important to remember that
> the reason most of them haven't been addressed before now is because
> they're *hard problems*, and because there's a tension between
> encouraging relative newcomers to Python (and open source in general)
> to share their work with the world, providing reasonable transition
> plans from existing insecure practices to more secure allternatives,
> and ultimately satisfying the dependency management needs of those
> that want to be able to obtain trusted versions of software directly
> from PyPI using the standard tools.


I do agree; in fact, I'm not the one suggesting to eg. pinning CA certificates.

What I'm saying is that it's far more important to fix HTTPS in PyPI than to verify GPG signatures. So when I hear the argument "if we just verify GPG signatures, that would be enough", I must disagree and explain why it's not true.
-- 
Giovanni Bajo   ::  rasky at develer.com
Develer S.r.l.  ::  http://www.develer.com

My Blog: http://giovanni.bajo.it






-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4346 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130205/e33a63ab/attachment-0001.bin>

More information about the Catalog-SIG mailing list