[Catalog-sig] pre-PEP: transition to release-file hosting at pypi site

Donald Stufft donald at stufft.io
Wed Mar 13 18:06:08 CET 2013

On Mar 13, 2013, at 12:54 PM, Tres Seaver <tseaver at palladion.com> wrote:

> Signed PGP part
> On 03/12/2013 03:57 PM, holger krekel wrote:
> > Nobody should be lead to think that PYPI is a trusted or reviewed
> > source of software even if we got rid of external hosting completely.
> Amen.  I still boggle at the amount of "sky is falling" stuff here over
> MITM / external links / whatever, given the potential damaage from
> explicitly malicious uploads (trojans, viruses, whatever).  Package
> signing might help here, but only for consumers who willing to think hard
> enough about the problem to manage a web of trust (frankly, a vanishingly
> small minority).

Really now? Let's see I can easily protect against malicous uploads by only installing from trusted authors. I cannot easily prevent a MITM or a compromised external host if the tools don't protect me against it. Without the tooling and infrastructure moving to close this gap the only way to do it is to not use that tooling or infrastructure at all. Namely even if the author of the package is myself I cannot be secure installing it using the current toolchain and infrastructure unless I bend over backwards to make sure that no installable link appears anywhere in my long description, and I don't have a homepage, and I don't have a download url.

> And then there are these problems:
> - - Backward-imcompatible releases (even those which make appropriate
>   signals in their version numbers).
> - - Removal of distributions / releases / projects.
> - - Re-upload of new distributions which sliently replace previous
>   distributions *of the same release* ("Yes, Virginia, there are
>   people out there who do this").
> which are deal-killers for the folks who want always-on, reliable,
> repeatable, automatic installation from PyPI (instead of creating their
> own indexes).
> Adding HTTPS or removing external links does nothing to mitigate those
> issues.

Yes there are other problems, so let's just throw our hands in the air and say fuck it instead of iteratively working to secure the system.

> Tres.
> - -- 
> ===================================================================
> Tres Seaver          +1 540-429-0999          tseaver at palladion.com
> Palladion Software   "Excellence by Design"    http://palladion.com
> _______________________________________________
> Catalog-SIG mailing list
> Catalog-SIG at python.org
> http://mail.python.org/mailman/listinfo/catalog-sig

Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130313/98d60f89/attachment.pgp>

More information about the Catalog-SIG mailing list