[Catalog-sig] PyPI and setuptools
M.-A. Lemburg
mal at egenix.com
Sun Feb 10 12:45:45 CET 2013
Giovanni Bajo wrote:
> Il giorno 10/feb/2013, alle ore 00:43, M.-A. Lemburg <mal at egenix.com> ha scritto:
>
>> On 10.02.2013 00:13, Stephen Thorne wrote:
>>> Hello,
>>>
>>> One of my concerns with the recent pip dramas that have seen some excellent
>>> and timely action from catalog-sig and others, is that 'setuptools' is
>>> still widely distributed and used instead of distribute/pip.
>>
>> Just as data point: distribute isn't using HTTPS either and the
>> distribute bootstrap site doesn't work with HTTPS:
>>
>> http://python-distribute.org/
>>
>> (https://python-distribute.org/ gives
>> "Error code: ssl_error_rx_record_too_long" in Firefox)
>>
>> By redirecting the PyPI main and mirror sites from HTTP to HTTPS
>> you can "upgrade" older installations.
>
> Alas, this redirection wouldn't fix the main issue, because a MITM can still proxy the connection, swallow the redirection, and insert a malware in the downloaded package. The only way to really fix it is to patch all PyPI clients, including distribute.
The main problem at the moment is transferring passwords in
plain text :-)
If you gain access to the password of an account that manages
popular packages, you don't need any of the MITM attacks -
you simply modify the existing packages on the PyPI server.
Moving to HTTPS will be a first step in making this harder.
>> An alternative approach would be to make people more aware of
>> the possibility to configure the PyPI site URL in a distutils
>> config file (even globally) and changing the URL from HTTP
>> to HTTPS there:
>>
>> * distutils config files:
>>
>> http://docs.python.org/2/install/index.html#inst-config-files
>>
>> * setuptools:
>>
>> http://peak.telecommunity.com/DevCenter/EasyInstall#configuration-files
>> http://peak.telecommunity.com/DevCenter/EasyInstall#command-line-options
>> (the option is called --index-url)
>>
>> * distribute:
>>
>> http://pythonhosted.org/distribute/easy_install.html#configuration-files
>> http://pythonhosted.org/distribute/easy_install.html#reference-manual
>> (the option is called --index-url)
>
>
> The problem with this approach is that Python standard library does not validate SSL certificates. So even if you force a urllib-based tool to access PyPI through https, it doesn't help at all in case of a MITM attack.
I know, but it's already a lot better than using HTTP (see above) :-)
If we could get all servers talking HTTPS using validating certificates,
that would already be a major step forward. This includes servers that
provide bootstrapping for distribute/setuptools and pip, as well as
the main PyPI server and all mirrors.
PyPI will soon get a validating certificate. I'm not sure about
distribute and the mirror servers.
--
Marc-Andre Lemburg
eGenix.com
Professional Python Services directly from the Source
>>> Python/Zope Consulting and Support ... http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
________________________________________________________________________
::: Try our new mxODBC.Connect Python Database Interface for free ! ::::
eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
Registered at Amtsgericht Duesseldorf: HRB 46611
http://www.egenix.com/company/contact/
More information about the Catalog-SIG
mailing list