[Catalog-sig] [DRAFT] Proposal for fixing PyPI/pip security
Justin Cappos
jcappos at poly.edu
Fri Feb 22 17:42:02 CET 2013
Okay, I took a quick look and posted a bunch of comments in the document. I
took a more thorough look at the early sections than the later.
You've done a nice job with the design overall and clearly thought through
a lot of security issues. I did point several places where I either don't
understand something or there might be a potential to improve the security.
After reading the doc, I'm not clear on how mirrors / CDNs / separate file
servers will be used in the system and what sort of trust you are placing
in them. In particular, much of the text about PyPI may or may not apply
to mirrors. These are a major headache from a security standpoint and
something we've really tried to minimize in TUF.
I've also thought more about how TUF would address the issues you've
mentioned. I believe TUF addressed the concerns mentioned in the doc
(except of course things like password storage which are PyPI website
changes). We also all of the proposed future enhancements mentioned at the
end of the document.
I must confess I'm still digging out after my deadline, so my responses may
be delayed.
Thanks,
Justin
On Sat, Feb 9, 2013 at 4:23 PM, Giovanni Bajo <rasky at develer.com> wrote:
> Hello,
>
> my proposal for fixing PyPI and pip security is here:
>
> https://docs.google.com/a/develer.com/document/d/1DgQdDCZY5LiTY5mvfxVVE4MTWiaqIGccK3QCUI8np4k/edit#
>
> I tried to sum up the discussions we had here last week, elaborating on
> Heimes' proposal by simplifying it where I thought the additional steps
> wouldn't guarantee additional security. At this point, the proposal does
> not include a central, uber-master online GPG signing key to be stored on
> PyPI, which is IMO quite hard to handle correctly.
>
> Comments are welcome!
> --
> Giovanni Bajo :: rasky at develer.com
> Develer S.r.l. :: http://www.develer.com
>
> My Blog: http://giovanni.bajo.it
>
>
> _______________________________________________
> Catalog-SIG mailing list
> Catalog-SIG at python.org
> http://mail.python.org/mailman/listinfo/catalog-sig
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130222/c3171af8/attachment.html>
More information about the Catalog-SIG
mailing list