[Catalog-sig] [DRAFT] Proposal for fixing PyPI/pip security

[Nick Coghlan]

On Sun, Feb 10, 2013 at 7:23 AM, Giovanni Bajo <rasky at develer.com> wrote:
> Hello,
>
> my proposal for fixing PyPI and pip security is here:
> https://docs.google.com/a/develer.com/document/d/1DgQdDCZY5LiTY5mvfxVVE4MTWiaqIGccK3QCUI8np4k/edit#
>
> I tried to sum up the discussions we had here last week, elaborating on Heimes' proposal by simplifying it where I thought the additional steps wouldn't guarantee additional security. At this point, the proposal does not include a central, uber-master online GPG signing key to be stored on PyPI, which is IMO quite hard to handle correctly.

I think the parts related to improving the HTTPS/SSL based security
are solid, but for the other aspects of secure updates, integrating
TUF (https://www.updateframework.com/) into the PyPI based
distribution infrastructure sounds like the best available option for
enhancing the end-to-end integrity checking. TUF has a comparatively
well-developed threat model, and systematically covers many of the
attack vectors discussed in the past few day (including provision of
old, known vulnerable, versions).

I have more faith in our collective ability to build a usable *and*
secure cross-platform distribution infrastructure on TUF (which
already has many of the more difficult security aspects covered),
along with devising a migration path from our existing distribution
infrastructure, than I do in our ability to come up with something
completely new.

Regards,
Nick.

-- 
Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia