[Catalog-sig] [DRAFT] Proposal for fixing PyPI/pip security
Giovanni Bajo
rasky at develer.com
Sun Feb 10 14:30:49 CET 2013
Il giorno 10/feb/2013, alle ore 05:44, Nick Coghlan <ncoghlan at gmail.com> ha scritto:
> On Sun, Feb 10, 2013 at 7:23 AM, Giovanni Bajo <rasky at develer.com> wrote:
>> Hello,
>>
>> my proposal for fixing PyPI and pip security is here:
>> https://docs.google.com/a/develer.com/document/d/1DgQdDCZY5LiTY5mvfxVVE4MTWiaqIGccK3QCUI8np4k/edit#
>>
>> I tried to sum up the discussions we had here last week, elaborating on Heimes' proposal by simplifying it where I thought the additional steps wouldn't guarantee additional security. At this point, the proposal does not include a central, uber-master online GPG signing key to be stored on PyPI, which is IMO quite hard to handle correctly.
>
> I think the parts related to improving the HTTPS/SSL based security
> are solid, but for the other aspects of secure updates, integrating
> TUF (https://www.updateframework.com/) into the PyPI based
> distribution infrastructure sounds like the best available option for
> enhancing the end-to-end integrity checking. TUF has a comparatively
> well-developed threat model, and systematically covers many of the
> attack vectors discussed in the past few day (including provision of
> old, known vulnerable, versions).
I'm not sure which parts of my document do you think they can be substituted with TUF. You seem to imply that anything related to GPG should be changed into using TUF, but I think TUF is missing a very important part: the trust model, because it was not meant to solve this problem since at this core it is just an update framework for a single software, not a package manager where users might install multiple software.
Even if you replace with TUF all parts of my documents that might be replaced, that would probably be only task #7 ("make pip validate signatures") and task #9 ("verify gpg signatures while uploading packages"). Anything else still applies, as far as I can tell.
Justin Cappos' mail on Feb 7th, 15:10: "One issue I'm not sure I understand is whether or not PyPI is trusted to know which developer's key is supposed to be signing updates for a specific package. I assume this would be the case, because otherwise I don't understand how the user gets this information. If so, how often does this list get updated with new developers / key changes? (I'm trying to understand what sort of key storage is appropriate here...)".
This is by far the biggest problem to be solved, and my document brings a proposal here. It would be great if the TUF guys reviewed it.
--
Giovanni Bajo :: rasky at develer.com
Develer S.r.l. :: http://www.develer.com
My Blog: http://giovanni.bajo.it
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4346 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130210/ac2781e8/attachment-0001.bin>
More information about the Catalog-SIG
mailing list