[Distutils] What to do about the PyPI mirrors

Donald Stufft donald at stufft.io
Tue Aug 6 09:01:08 CEST 2013 

On Aug 6, 2013, at 2:56 AM, holger krekel <holger at merlinux.eu> wrote:

> On Mon, Aug 05, 2013 at 23:31 -0700, Noah Kantrowitz wrote:
>> On Aug 5, 2013, at 11:11 PM, Christian Theune <ct at gocept.com> wrote:
>> 
>>> Two more things:
>>> 
>>> why is the CDN not suffering from the security problems you describe for the mirrors?
>>> 
>>> a) Fastly seems to be the one owning the certificate for pypi.python.org. What?!?
>> 
>> They have a delegated SAN for it, which digicert (the CA) authorizes with the domain contact (the board in this case).
>> 
>>> b) What does stop Fastly from introducing incorrect/rogue code in package downloads?
>> 
>> Basically this one boils down to personal trust from me to the Fastly team combined with the other companies using them being very reputable. At the end of the day, there is not currently any cryptographic mechanism preventing Fastly from doing bad things.
> 
> The problem is not so much trusting individuals but that the companies
> in question are based in the US.  If its government wants to temporarily
> serve backdoored packages to select regions, they could silently force Fastly
> to do it.  I guess the only way around this is to work with pypi- and
> eventually author/maintainer-signatures and verification.

PyPI is hosted in the US. Anything the Government could do to Fastly it could do to OSUOL where PyPI is hosted.

The solution to that is signature validation but I think it's premature to worry too much about that when there are   lower hanging fruit that don't require the US Government deciding to backdoor packages.

> 
> best,
> holger
> _______________________________________________
> Distutils-SIG maillist  -  Distutils-SIG at python.org
> http://mail.python.org/mailman/listinfo/distutils-sig


-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130806/ba7ef1bc/attachment.pgp>

More information about the Distutils-SIG mailing list