[Catalog-sig] RubyGems Threat Model and Requirements

Nick Coghlan ncoghlan at gmail.com
Wed Feb 13 23:59:40 CET 2013


On 14 Feb 2013 03:59, "Donald Stufft" <donald.stufft at gmail.com> wrote:
>
> On Wednesday, February 13, 2013 at 5:29 AM, Robert Collins wrote:
>>
>> On 13 February 2013 15:12, Giovanni Bajo <rasky at develer.com> wrote:
>>
>>> Yes, that's correct. GPG chain-of-trust concept is not used in my
proposal,
>>> because I don't think it would be a good fit for this problem given its
>>> requirements. Specifically, I believe pip users should not be bothered
with
>>> useless click-through questions for each new package they install,
which is
>>> what you would get far too often in case chain-of-trust were used.
>>
>>
>> But this means someone that gets access to the PyPI server can just
>> mark their own key as trusted and compromise any package they want.
>>
>> -Rob
>>
> I used to have the same idealistic idea that we should be able to
> *not* trust PyPI for the average user. However PyPI *is* the final
> authority on who has the right to publish to what name. It would be
> a bit like trying to determine if the PSF owns python.org without
> involving the company running the .org TLD.

I see it as similar to the SSL CA system - it has plenty of known flaws,
but still closes a whole lot of attack vectors, and thus is worth doing.
Particularly security conscious users will still be able to do their own
verification, or pay a redistributor to do additional verification on their
behalf. (For example, I expect you would fail all the meaningful Common
Criteria EAL certification levels if you blindly trusted PyPI).

Cheers,
Nick.

>
>
> _______________________________________________
> Catalog-SIG mailing list
> Catalog-SIG at python.org
> http://mail.python.org/mailman/listinfo/catalog-sig
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130214/e8a56370/attachment-0001.html>


More information about the Catalog-SIG mailing list