[Distutils] PEP453 - Explicit bootstrapping of pip in Pythoninstallations

Nick Coghlan ncoghlan at gmail.com
Wed Sep 4 01:29:46 CEST 2013


On 3 Sep 2013 23:14, "Anders J. Munch" <ajm at flonidan.dk> wrote:
>
> Nick Coghlan:
> > It would be trusting the integrity of PyPI for the software itself,
> > and the CA system to know that it's actually talking to PyPI. Far from
> > ideal, but we don't have a viable end-to-end signing system yet
> > (mostly due to the associated key management and update/revocation
> > problems).
>
> So retrieving pip is over https and the cert is validated? That's a
> satisfactory answer, certainly.
>
> > Given that the trust model for the installer itself is usually "I
> > downloaded it from python.org", the risk isn't actually increased all
> > that much.
>
> I'd worry about any increase in risk.  If the target becomes big
> enough, malware may start targeting Python auto-install mechanisms,
> even if it doesn't today.  The python.org installers are PGP signed,
> by the way. Maybe you meant the installers retrievable through PyPI?

Those too, but I meant I don't know of anyone that checks the signatures of
the Windows installers before running them. Certainly beginners don't,
since "setting up GPG is painful on Windows" is one of the reasons relying
on it for PyPI is a problem. Sure, it can be done in *theory*, but in
practice... :P

For me, the bar is currently set at "more secure than it used to be" (a
baseline which is fortunately higher than it used to be now both pip and
easy_install do SSL cert verification, but still disturbingly low in other
ways).

Cheers,
Nick.

>
> regards, Anders
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130904/c6ff248d/attachment.html>


More information about the Distutils-SIG mailing list