[Distutils] providing a way for pip to communicate extra info to users

Nick Coghlan ncoghlan at gmail.com
Thu Apr 12 08:10:01 EDT 2018


On 12 April 2018 at 07:01, Paul Moore <p.f.moore at gmail.com> wrote:
> HTTPS access to the index server is fundamental to pip - if an
> attacker can subvert that, they don't need to mess with a message,
> they can just replace packages. So I don't see that displaying a
> message that's available from that same index server is an additional
> vulnerability, surely? But I'm not a security expert - I'd defer to
> someone like Donald to comment on the security aspects of any proposal
> here.

Right now it doesn't create any additional vulnerabilities, since
we're relying primarily on HTTPS for PyPI -> installer security.

However, that changes once PEP 458 gets implemented, as that will
switch the primary package level security mechanism over to TUF, which
includes a range of mechanisms designed to detect tampering with the
link to PyPI (including freeze attacks that keep you from checking for
new packages, or attempting to lie about which versions are
available).

So the scenario we want to avoid is one where an attacker can present
a notice that says "Please ignore that scary security warning your
installer is giving you, we're having an issue with the metadata
generation process on the server. To resolve the problem, please force
upgrade pip".

That's a solvable problem (e.g. only check for the MOTD *after*
successfully retrieving a valid metadata file), but it's still
something to take into account.

Cheers,
Nick.

-- 
Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia


More information about the Distutils-SIG mailing list