[Catalog-sig] [DRAFT] Proposal for fixing PyPI/pip security

Giovanni Bajo rasky at develer.com
Fri Feb 22 23:35:09 CET 2013


Il giorno 22/feb/2013, alle ore 17:42, Justin Cappos <jcappos at poly.edu> ha scritto:

> Okay, I took a quick look and posted a bunch of comments in the document. I took a more thorough look at the early sections than the later.
> 
> You've done a nice job with the design overall and clearly thought through a lot of security issues. I did point several places where I either don't understand something or there might be a potential to improve the security.   

Thanks. I've replied to your comments.

> After reading the doc, I'm not clear on how mirrors / CDNs / separate file servers will be used in the system and what sort of trust you are placing in them.  In particular, much of the text about PyPI may or may not apply to mirrors. These are a major headache from a security standpoint and something we've really tried to minimize in TUF.

I think the current PyPI mirror can be highly simplified once we introduce end-to-end authenticity with GPG. My suggestion would be to make them simple file servers, or even drop them and switch to commercial CDN, that would simplify lots of management. What we should drop is the concept of a full mirror, as it creates lots of security headaches as you say. I think the PSF board is open to a proposal to set up a budget for this.

> I've also thought more about how TUF would address the issues you've mentioned. I believe TUF addressed the concerns mentioned in the doc (except of course things like password storage which are PyPI website changes). We also all of the proposed future enhancements mentioned at the end of the document.

I think TUF is a large superset of what I proposed, that means that it is also a large superset of what it is (likely) needed. I'm still worried of how we can simplify TUF from an UX and IT perspective. I think that I need some inputs from you. Can you please write down something that describes:

1) What is exactly expected from a package maintainer to do to:
 1a) register themselves as package maintainers on PyPI
 1b) sign/publish a new package
 1c) hide/show a package version
2) What modifications are required on the PyPI server? How many GPG keys the server would need to handle? Would they be online or offline? What processes do we need to setup?

I would expect such document to describe also required changes to distutils and PyPI protocols, if required.

> I must confess I'm still digging out after my deadline, so my responses may be delayed.

There is no specific hurry, though I would like these issues to be sorted out. I'm happy to integrate TUF if it's the best solution, but we need to discuss how.
-- 
Giovanni Bajo   ::  rasky at develer.com
Develer S.r.l.  ::  http://www.develer.com

My Blog: http://giovanni.bajo.it





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130222/c1336757/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4346 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130222/c1336757/attachment.bin>


More information about the Catalog-SIG mailing list