[Distutils] Remove the "Mirror Authenticity" API
noah at coderanger.net
Sun Sep 29 03:10:06 CEST 2013
On Sep 28, 2013, at 8:05 PM, Donald Stufft <donald at stufft.io> wrote:
> I believe we should remove the /serverkey and /serversig/* API's from PyPI.
> * I am not aware of *any* implementation that actually verifies packages against this API
> * In the light of PEP449 users now make a very conscious choice of which mirror they are
> using, which means they are no longer downloading random things from indiscriminate
> * It uses DSA, which is a cryptographic primitive where if you reuse the random number or
> *any* bias in your random number you completely leak the private key. Given the nature
> of PyPI it's completely possible for a malicious user to essentially create an unbounded
> number of signatures making it more likely that a random nonce will be reused.
> * Moving forward something like TUF is a much better answer to the problems this attempts
> to solve as well as other problems.
> So it's basically unused with questionable primitives and better solutions exist.
> Does anyone have any objections to this being removed?
> Donald Stufft
> PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
> Distutils-SIG maillist - Distutils-SIG at python.org
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 203 bytes
Desc: Message signed with OpenPGP using GPGMail
More information about the Distutils-SIG