[Distutils] PEP draft on PyPI/pip package signing

Giovanni Bajo rasky at develer.com
Tue Jul 29 02:07:22 CEST 2014 

Il giorno 29/lug/2014, alle ore 00:22, Justin Cappos <jcappos at nyu.edu> ha scritto:

> So, I think Vlad covered the status of the implementation side well.   
> 
> We've also done some work on the writing / doc side, but haven't pushed fixes to the PEP.   We can (and should) do so.

Yes, please, that would be great.

>   We have an academic writeup that speaks in more detail about many of the issues you mention, along with other items.   We will make the revised documents easier to find publicly, but let me address your specific concerns here.
> 
>  * what a maintainer is supposed to do to submit a new signed package
> 
> A maintainer will upload a public key when creating a project.   When uploading a package, metadata is signed and uploaded that indicates trust.   Our developer tools guide (https://github.com/theupdateframework/tuf/blob/develop/tuf/README-developer-tools.md) is meant to be a first draft at this document that answers any questions.   
> 
> There will also be a quick start guide which is just a few steps:
> 
> generate and upload a key
> sign metadata and upload it with your project
> 
>  * how can differ maintainers signal that they both maintain the same package
> 
> A project can delegate trust to multiple developers.   Depending on how this is done, either developer may be trusted for the package.   The developer tools guide shows this.
> 
>  * how the user interface of PyPI will change
> 
> We're open to suggestions here.   There is flexibility from our side for how this works.   


>  * what are the required security maintenance that will need to be regularly performed by the PyPI ops
> 
> Essentially, the developers need to check a list of 'revoked claimed keys' and ensure that this list matches what they will sign with their offline claimed key.   This is also detailed in the writeup.
> 
> Giovanni: TUF retains security even when PyPI is compromised (including online keys).  

Please elaborate on “survive". What I read in the PEP, if I compromise PyPI I can get access to timestamp, consistent-snapshot, and unclaimed roles, which in turn lets me perform malicious updates, freeze attacks and metadata inconsistency attacks (= all possible attacks).

-- 
Giovanni Bajo   ::  rasky at develer.com
Develer S.r.l.  ::  http://www.develer.com

My Blog: http://giovanni.bajo.it





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20140729/fe8827ef/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4207 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20140729/fe8827ef/attachment.bin>

More information about the Distutils-SIG mailing list