[Distutils] PGP keys required? (Re: PEP 243)

Bob Ippolito bob at redivi.com
Sat Jan 31 17:34:28 EST 2004 

On Jan 31, 2004, at 4:59 PM, Keith Jackson wrote:

> On Jan 29, 2004, at 3:26 AM, Bob Ippolito wrote:
>
>> On Jan 29, 2004, at 6:15 AM, Anthony Baxter wrote:
>>
>>>
>>>>>> "Moore, Paul" wrote
>>>> From: Michael T. Babcock
>>>>> Would it be worthwhile to stipulate that anyone who wants to 
>>>>> submit a
>>>>> package to an automated distutils system have a PGP/GPG key signed 
>>>>> by
>>>>> an appropriate Python authority or another developper?
>
> I'm not a lawyer, but this makes me uncomfortable. Seems to bring up a 
> whole can of liability worms.
>
>>>
>>>> -1. The effect would be to bar new submitters, who wouldn't have the
>>>> necessary signed key, as well as to people like myself who can't be
>>>> bothered trying to maintain a PGP key.
>>>
>>> It should be at least an option, anyway.
>>
>> Isn't most of the stuff used to support GPG under the GNU GPL 
>> license?  I think that would preclude it from being incorporated into 
>> the mainline of distutils.
>>
>
> Yes, but I don't think that prevents distutils from running a shell 
> command to invoke gpg. I'd really like to see this as an option. As 
> soon as people start putting more things up in a repository, the more 
> likely it will become that someone tries to trojan things. I'd also 
> like to see M2Crypto or pyOpenSSL support for S/MIME sigs.

Well, right now there is no repository, PyPI links to the author's 
page.  There are repositories for Mac ports, though, but we're not 
terribly worried at the moment (I maintain one of them, python.org has 
the other maintained by Jack).  The package index has MD5 hashes and 
URLs to tarballs (that can be anywhere).  Obviously you have to trust 
me or Jack, and the integrity of our servers, but I don't think that's 
a huge problem right now.  I do have a CA-signed SSL cert for 
pythonmac.org and I could put a package index there.. so you could 
verify that there wasn't some sort of spoof or man in the middle 
attack, but it just hasn't been worth doing so far.

> Personally I'd be willing to settle for a separate machine that 
> maintained the sha1 hashes of all the code. At least then you'd have 
> to crack two machines to trojan software. distutils could have built 
> in support for getting the sha1 hash and verifying it. I'm much more 
> concerned with the code integrity then authenticating who wrote it. 
> This is open-source, so I'm not going to have any legal options 
> against someone who wrote bad code.
>
> What I am concerned about is minimizing the likelihood that someone 
> can trojan a distutils repository. Given how frequently this has 
> happened to other sites, it seems like a reasonable concern.
>
>> Personally, I don't think it would be a popular enough feature to 
>> justify the changes.  For the people who do care, a "meta-index" 
>> could be created where the developer could, email a pgp-signed or 
>> s/mime signed message containing the URLs and sha1 hashes of the 
>> files to some robot-address that would insert it into the 
>> "meta-index" if the credentials were ok.
>
> Yes, but of course this begs the age old key distribution problem.

So does anything else?

> I'm all in favor of some kind of optional support for PGP or S/MIME 
> signatures, I exist in an X.509 world, so I could take advantage of it 
> for my own work. That said, I think that code integrity in the 
> repository is a much bigger issue that authenticating who put the code 
> into the repository. (yes i do understand that the sig will also 
> handle integrity, but it is probably overkill)
>
> All a sha1 hash would say is that: The distutils repository only 
> contains the code that was legitimately submitted. That doesn't mean 
> someone didn't submit a trojan, but it does mean that for major 
> projects like wxPython that if the hash verifies then most likely 
> things are ok.

md5 and sha1 hashes are fine, Python comes with those.. but crypto 
isn't really an option because there are people who are concerned about 
the associated export/import laws that will not let it go into mainline 
Python (I tried).

> Sorry for the long post, but I think if we're going to do a python 
> repository, we should be concerned about the integrity of the 
> repository.
> --keith
>
> p.s. How does CPAN deal with these issues?

They don't, and I haven't really heard of any problems.  From what I 
understand, the author uploads a package to PAUSE (w/ a login/password, 
probably not even over SSL), and it gets replicated throughout CPAN in 
a few hours.

-bob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2357 bytes
Desc: not available
Url : http://mail.python.org/pipermail/distutils-sig/attachments/20040131/7f71727a/smime.bin

More information about the Distutils-SIG mailing list