[Distutils] Surviving a Compromise of PyPI - PEP 458 and 480

Richard Jones richard at python.org
Wed Dec 31 05:14:33 CET 2014

Now that I think about it, I'm almost certain that Donald and I have had
the "hey, what about an upload.pypi.python.org" conversation in the past,
as a way around issues involving the CDN :)

Still a good idea, in my opinion.


On Wed Dec 31 2014 at 3:01:53 PM Nick Coghlan <ncoghlan at gmail.com> wrote:

> On 31 December 2014 at 12:32, Donald Stufft <donald at stufft.io> wrote:
>> PyPI trusts the CDN to give it the correct bits, without a signature from
>> the author that is being verified uploading just relies on TLS again. The
>> other PEP should close that gap though I believe.
> I'm actually not sure what going through the CDN is buying us on the
> upload side of things in the first place, given the main pay-off provided
> by a CDN is geographically distributed caching of unchanging data for
> faster downloads.
> So it seems to me that that particular vulnerability could potentially be
> fixed more simply by bypassing the CDN entirely for the upload case. That's
> simplicity in the *conceptual* sense, though - there may be architectural
> issues in the current implementation of PyPI and the related tools that
> make it harder in practice than it would be in theory.
> Either way, I agree that any kind of upload compromise based attack is
> also out of scope for PEP 458 - that's now entirely about ensuring that the
> bits delivered to end users are the same bits PyPI published. Making sure
> that the bits *PyPI* publishes are the same ones that the *developer*
> published is the domain of PEP 480.
> Cheers,
> Nick.
> --
> Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20141231/8c92e882/attachment.html>

More information about the Distutils-SIG mailing list