[Distutils] providing a way for pip to communicate extra info to users

Wes Turner wes.turner at gmail.com
Thu Apr 12 13:10:41 EDT 2018


A MOTD from anything but a signed package would be user-supplied input.
Shell/terminal command ^[escaping would be necessary:
https://stackoverflow.com/questions/6534556/how-to-remove-and-all-of-the-escape-sequences-in-a-file-using-linux-shell-sc

Impact:

Are additional requests and variable messages really necessary? Can static
error messages simply say 'check /news for more information'? (thus saving:
millions of requests per year and additional MOTD package signing overhead
and bandwidth)?



On Thursday, April 12, 2018, Justin Cappos <jcappos at nyu.edu> wrote:

> FYI: TUF has a custom metadata field in the targets metadata that could
> potentially be used for this purpose.  We can explain more if there is
> interest...
>
> On Thu, Apr 12, 2018 at 8:26 AM, Nathaniel Smith <njs at pobox.com> wrote:
>
>> From the TUF perspective it seems like it would be straightforward to
>> make the MOTD a "package", whose "contents" is the MOTD text, and that we
>> "upgrade" it to get the latest text before displaying anything.
>>
>> -n
>>
>> On Thu, Apr 12, 2018, 05:10 Nick Coghlan <ncoghlan at gmail.com> wrote:
>>
>>> On 12 April 2018 at 07:01, Paul Moore <p.f.moore at gmail.com> wrote:
>>> > HTTPS access to the index server is fundamental to pip - if an
>>> > attacker can subvert that, they don't need to mess with a message,
>>> > they can just replace packages. So I don't see that displaying a
>>> > message that's available from that same index server is an additional
>>> > vulnerability, surely? But I'm not a security expert - I'd defer to
>>> > someone like Donald to comment on the security aspects of any proposal
>>> > here.
>>>
>>> Right now it doesn't create any additional vulnerabilities, since
>>> we're relying primarily on HTTPS for PyPI -> installer security.
>>>
>>> However, that changes once PEP 458 gets implemented, as that will
>>> switch the primary package level security mechanism over to TUF, which
>>> includes a range of mechanisms designed to detect tampering with the
>>> link to PyPI (including freeze attacks that keep you from checking for
>>> new packages, or attempting to lie about which versions are
>>> available).
>>>
>>> So the scenario we want to avoid is one where an attacker can present
>>> a notice that says "Please ignore that scary security warning your
>>> installer is giving you, we're having an issue with the metadata
>>> generation process on the server. To resolve the problem, please force
>>> upgrade pip".
>>>
>>> That's a solvable problem (e.g. only check for the MOTD *after*
>>> successfully retrieving a valid metadata file), but it's still
>>> something to take into account.
>>>
>>> Cheers,
>>> Nick.
>>>
>>> --
>>> Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia
>>> _______________________________________________
>>> Distutils-SIG maillist  -  Distutils-SIG at python.org
>>> https://mail.python.org/mailman/listinfo/distutils-sig
>>>
>>
>> _______________________________________________
>> Distutils-SIG maillist  -  Distutils-SIG at python.org
>> https://mail.python.org/mailman/listinfo/distutils-sig
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20180412/4365f769/attachment.html>


More information about the Distutils-SIG mailing list