[Distutils] Remove the "Mirror Authenticity" API

Noah Kantrowitz noah at coderanger.net
Sun Sep 29 03:10:06 CEST 2013



On Sep 28, 2013, at 8:05 PM, Donald Stufft <donald at stufft.io> wrote:

> I believe we should remove the /serverkey and /serversig/* API's from PyPI.
> * I am not aware of *any* implementation that actually verifies packages against this API
> * In the light of PEP449 users now make a very conscious choice of which mirror they are
>   using, which means they are no longer downloading random things from indiscriminate
>   mirrors.
> * It uses DSA, which is a cryptographic primitive where if you reuse the random number or
>   *any* bias in your random number you completely leak the private key. Given the nature
>   of PyPI it's completely possible for a malicious user to essentially create an unbounded
>   number of signatures making it more likely that a random nonce will be reused.
> * Moving forward something like TUF is a much better answer to the problems this attempts
>   to solve as well as other problems.
> So it's basically unused with questionable primitives and better solutions exist.
> Does anyone have any objections to this being removed?
> -----------------
> Donald Stufft
> PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
> _______________________________________________
> Distutils-SIG maillist  -  Distutils-SIG at python.org
> https://mail.python.org/mailman/listinfo/distutils-sig

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 203 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130928/65657e12/attachment.sig>

More information about the Distutils-SIG mailing list