[Catalog-sig] Use user-specific site-packages by default?

holger krekel holger at merlinux.eu
Tue Feb 5 16:14:45 CET 2013 

On Tue, Feb 05, 2013 at 16:07 +0100, Lennart Regebro wrote:
> On Tue, Feb 5, 2013 at 3:06 PM, Holger Krekel <holger.krekel at gmail.com> wrote:
> > I wouldn't assume that maintainers are easily reachable.  I've contacted at
> > least three people of different (>1K downloads) packages which never
> > responded.
> 
> We really can't do very much about abandoned packages.
> 
> > And of course, i didn't mean to imply that already installed packages would
> > suddenly break. Rather that installation instructions like "use pip install
> > X" will just fail with some dependency "Y" not getting installed.  Or
> > getting installed in some random lower version which might contain evil bugs
> > (including security bugs).   For exmaple, the referenced "lockfile" project
> > has a "0.2" release on pypi, but is currently at 0.9.
> 
> There is no way around that problem, except other people than the
> maintainers uploading the software to PyPI. That's certainly an
> option, and I have no good argument against it, but I don't like it.
> (Obviously it can only be done for software marked with relevant licenses).
> 
> > In the end, however, none of this prevents MITM attacks between a downloader
> > and pypi.python.org.
> 
> Sure, and that's another problem, and the low-hanging fruit there is
> using https.

Transporting almost all externally reachable packages to be locally pypi
served is also kind of a low hanging fruit, although probably slightly
higher hanging than SSL :)   The point is that we can have some control over
those packages once we have them - so we can delete them if they are reported
to be malicious independently of maintainer reachability. 

> > If a signature is available (also at a download_url site), then we can exclude undetected
> > tampering.
> 
> If they can change the file at the download_url site, then they surely
> can change the signature?

No, because a signature can only be created by the original author for
a particular file (his upload), not from the download site or a
MITM-attacker for a different file.

best,
holger


> //Lennart
> _______________________________________________
> Catalog-SIG mailing list
> Catalog-SIG at python.org
> http://mail.python.org/mailman/listinfo/catalog-sig
>

More information about the Catalog-SIG mailing list