[Distutils] Surviving a Compromise of PyPI - PEP 458 and 480

[Vladimir Diaz]

Nick,

Renaming the PEPs is not problem.  Perhaps "PEP 458: Securing the Link from
PyPI to the End User" is another option.

I am going to read the Rick Walsh paper you've linked and give some careful
thought to your proposal.  I'll get back to you.  I had one person
(off-list and recommending how to better explain 480 to non-specialists)
say, "the property PEP 480 gives is that developers who sign their project
protect their users even if PyPI is compromised.  This is because end users
are told to trust the developer keys over the keys that are kept on the
PyPI server.  (PyPI administrators still have a way of  using keys that are
kept in secure, offline storage to recover if a developer's keys are lost
or stolen.)"

Yes, you gotta love those "aha" moments - you're in the shower and go to
grab the shampoo bottle when it hits you, "aha!  That's the solution...
Thank you, shampoo bottle of 'Head & Shoulders'"


On Fri, Jan 2, 2015 at 11:26 AM, Nick Coghlan <ncoghlan at gmail.com> wrote:

> On 3 January 2015 at 02:12, Donald Stufft <donald at stufft.io> wrote:
>
>>
>> On Jan 2, 2015, at 10:51 AM, Nick Coghlan <ncoghlan at gmail.com> wrote:
>>
>> Getting them to manage additional keys, and get them signed and
>> registered appropriately, and then supplying them is going to be a similar
>> amount of work, and the purpose is far more cryptic and confusing. My
>> proposal is basically that instead of asking developers to manage signing
>> keys, we should instead be ask them to manage account on a validation
>> server (or servers).
>>
>>
>> I need to think more about the rest of what you’ve said (and I don’t
>> think it’s a short term problem), but I just wanted to point out that
>> “managing keys” can be as simple as “create a secondary pass(word|phrase)
>> and remember it/write it down/whatever”. It doesn’t need to be “secure this
>> file and copy it around to all of your computers”. Likewise there’s no
>> reason that “delegate authority to someone else” can’t be something like
>> ``twine add-maintainer pip pfmoore``.
>>
>
> Yeah, I'm confident that the UI can be made relatively straightforward
> regardless of how we make the actual validation work. The part I haven't
> got the faintest clue how to do for the PEP 480 version is building viable
> "folks models" of what those commands are doing on the back end that will
> give people confidence that they understand what is going on just from
> using the tools, rather than leaving them wondering why they need a
> secondary password, etc.
>
> From a technical perspective, I don't think the validation server idea is
> superior to PEP 480. Where I think it's superior is that I'm far more
> confident in my ability to explain to a developer with zero security
> background how separate validation servers provide increased security, as
> the separation of authority would be structural in addition to
> mathematical. While the real security would still be coming from the maths,
> a folk model that believes it is coming from the structural separation
> between the publication server and the metadata validation servers will be
> good enough for most practical purposes, and unless someone is particularly
> interested in the mathematical details, they can largely be handwaved away
> with "the separation of responsibilities between the services is enforced
> mathematically".
>
> Cheers,
> Nick.
>
> --
> Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20150102/a11a647a/attachment-0001.html>