[Distutils] providing a way for pip to communicate extra info to users

Justin Cappos jcappos at nyu.edu
Thu Apr 12 12:12:36 EDT 2018

FYI: TUF has a custom metadata field in the targets metadata that could
potentially be used for this purpose.  We can explain more if there is

On Thu, Apr 12, 2018 at 8:26 AM, Nathaniel Smith <njs at pobox.com> wrote:

> From the TUF perspective it seems like it would be straightforward to make
> the MOTD a "package", whose "contents" is the MOTD text, and that we
> "upgrade" it to get the latest text before displaying anything.
> -n
> On Thu, Apr 12, 2018, 05:10 Nick Coghlan <ncoghlan at gmail.com> wrote:
>> On 12 April 2018 at 07:01, Paul Moore <p.f.moore at gmail.com> wrote:
>> > HTTPS access to the index server is fundamental to pip - if an
>> > attacker can subvert that, they don't need to mess with a message,
>> > they can just replace packages. So I don't see that displaying a
>> > message that's available from that same index server is an additional
>> > vulnerability, surely? But I'm not a security expert - I'd defer to
>> > someone like Donald to comment on the security aspects of any proposal
>> > here.
>> Right now it doesn't create any additional vulnerabilities, since
>> we're relying primarily on HTTPS for PyPI -> installer security.
>> However, that changes once PEP 458 gets implemented, as that will
>> switch the primary package level security mechanism over to TUF, which
>> includes a range of mechanisms designed to detect tampering with the
>> link to PyPI (including freeze attacks that keep you from checking for
>> new packages, or attempting to lie about which versions are
>> available).
>> So the scenario we want to avoid is one where an attacker can present
>> a notice that says "Please ignore that scary security warning your
>> installer is giving you, we're having an issue with the metadata
>> generation process on the server. To resolve the problem, please force
>> upgrade pip".
>> That's a solvable problem (e.g. only check for the MOTD *after*
>> successfully retrieving a valid metadata file), but it's still
>> something to take into account.
>> Cheers,
>> Nick.
>> --
>> Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia
>> _______________________________________________
>> Distutils-SIG maillist  -  Distutils-SIG at python.org
>> https://mail.python.org/mailman/listinfo/distutils-sig
> _______________________________________________
> Distutils-SIG maillist  -  Distutils-SIG at python.org
> https://mail.python.org/mailman/listinfo/distutils-sig
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20180412/75ee8f4c/attachment.html>

More information about the Distutils-SIG mailing list