[Distutils] What to do about the PyPI mirrors

Donald Stufft donald at stufft.io
Tue Aug 6 09:32:39 CEST 2013

On Aug 6, 2013, at 3:29 AM, martin at v.loewis.de wrote:

> Quoting Donald Stufft <donald at stufft.io>:
>> Unless I'm forgetting something there's no real way to get the server key
>> without going through Fastly
> You should have a copy of the server key upfront, on your disk.
> You can still get it directly from pypi with HTTP request to
> pypi.into.python.org/serverkey.
>> and even if there was Fastly could just hijack
>> an upload (and murder their entire business in the process).
> Couldn't you also use pypi.int.python.org for uploading?
> Regards,
> Martin

pypi.int.python.org is not a public name and has no promise on existing
tomorrow. Even if it was it's HTTP only and thus now you have an attacker
who can substitute his own key for the server key and his own serversig
for packages downloaded over HTTP from a mirror.

The same thing applies to uploading, so you remove the possibility of
Fastly attacking you and open up the much wider chance that a MITM
would attack you.

Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130806/c3dc8118/attachment.pgp>

More information about the Distutils-SIG mailing list