[Distutils] Remove the "Mirror Authenticity" API
Donald Stufft
donald at stufft.io
Sun Sep 29 03:05:00 CEST 2013
I believe we should remove the /serverkey and /serversig/* API's from PyPI.
* I am not aware of *any* implementation that actually verifies packages against this API
* In the light of PEP449 users now make a very conscious choice of which mirror they are
using, which means they are no longer downloading random things from indiscriminate
mirrors.
* It uses DSA, which is a cryptographic primitive where if you reuse the random number or
*any* bias in your random number you completely leak the private key. Given the nature
of PyPI it's completely possible for a malicious user to essentially create an unbounded
number of signatures making it more likely that a random nonce will be reused.
* Moving forward something like TUF is a much better answer to the problems this attempts
to solve as well as other problems.
So it's basically unused with questionable primitives and better solutions exist.
Does anyone have any objections to this being removed?
-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130928/0ae47030/attachment.sig>
More information about the Distutils-SIG
mailing list