[Distutils] Remove the "Mirror Authenticity" API
Noah Kantrowitz
noah at coderanger.net
Sun Sep 29 03:10:06 CEST 2013
+1
--Noah
On Sep 28, 2013, at 8:05 PM, Donald Stufft <donald at stufft.io> wrote:
> I believe we should remove the /serverkey and /serversig/* API's from PyPI.
>
> * I am not aware of *any* implementation that actually verifies packages against this API
>
> * In the light of PEP449 users now make a very conscious choice of which mirror they are
> using, which means they are no longer downloading random things from indiscriminate
> mirrors.
>
> * It uses DSA, which is a cryptographic primitive where if you reuse the random number or
> *any* bias in your random number you completely leak the private key. Given the nature
> of PyPI it's completely possible for a malicious user to essentially create an unbounded
> number of signatures making it more likely that a random nonce will be reused.
>
> * Moving forward something like TUF is a much better answer to the problems this attempts
> to solve as well as other problems.
>
> So it's basically unused with questionable primitives and better solutions exist.
>
> Does anyone have any objections to this being removed?
>
> -----------------
> Donald Stufft
> PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
>
> _______________________________________________
> Distutils-SIG maillist - Distutils-SIG at python.org
> https://mail.python.org/mailman/listinfo/distutils-sig
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 203 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130928/65657e12/attachment.sig>
More information about the Distutils-SIG
mailing list