[Catalog-sig] pre-PEP: transition to release-file hosting at pypi site
Tres Seaver
tseaver at palladion.com
Wed Mar 13 18:21:45 CET 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/13/2013 01:06 PM, Donald Stufft wrote:
> Really now? Let's see I can easily protect against malicous uploads
> by only installing from trusted authors
How do you know who to trust? What if an author you trust adds a
dependency to a package to an author you have no konwledege of, or one
you actively distrust? What if an author you trust commits one of the
other changes I outlined (removes a release / distribution, makes
backward-incompatible changes, re-uploads a changed distribution over an
existing one?)
The only way to implement "only install from trusted authors" is to run
your own index, and explicitly review / curate the package set maintained
there. In that scenario, you run a script from time to time which looks
for new versions of your packages on PyPI and puts them into a queue for
review.
Bob, a casual reviewer, might install the new verison from PyPI into a
fresh virtualenv and test it there before pushing it into the curated index.
Carol, more pranoid^Wsecurity mindex, downloads the package, verifies its
signature, unpacks the tarball, diffs it against the curated version,
compares that diff against the changelog, looks at new / changed
dependencies, and installs it into a hardened sandbox for testing. Only
after that kind of review does she push the newly-reviewed distribution
into the curated index.
Adding an entirely new package to the curated index is a similar process,
but requires more effort from either Bob or Carol.
Tres.
- --
===================================================================
Tres Seaver +1 540-429-0999 tseaver at palladion.com
Palladion Software "Excellence by Design" http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iEYEARECAAYFAlFAtakACgkQ+gerLs4ltQ5O4wCcC92ew66wVGEPBM/Jr8z1bYU8
e9AAoNXmaiuBHQOIFQlT0SRemI43hoG7
=idDp
-----END PGP SIGNATURE-----
More information about the Catalog-SIG
mailing list