[Python-Dev] pip: cdecimal an externally hosted file and may be unreliable [sic]

Donald Stufft donald at stufft.io
Thu May 8 17:43:37 CEST 2014 

On May 8, 2014, at 11:34 AM, Stefan Krah <stefan at bytereef.org> wrote:

> Donald Stufft <donald at stufft.io> wrote:
>>> Today I've switched to manual install mode with manual sha256sum verification
>>> which is *far* safer than anything you get via pip right now.
>> 
>> It is not safer in any meaingful way.
>> 
>> If someone is in a position to compromise the integrity of PyPI's TLS, they
>> can replace the hash on that page with something else. Now you've attempted to
>> work around this by telling people to go look up the release announcement
>> hash. However if someone can compromise the integrity of PyPI's TLS, they can
>> also compromise the integrity of https://mail.python.org/, or GMane, or any
>> other TLS based website[1].
> 
> Of course it is safer.  Suppose a file is stored on PyPI:
> 
>  1) Attacker guesses my username (or is it even visible, I'm not sure).
> 
>  2) Clicks on "lost login".
> 
>  3) Intercepts mail (difficult, but far from the TLS attack category).
>     Maybe on a home or university network.  Or a rogue person at a
>     mail provider.
> 
>  4) Changes the uploaded file together with the hash.
> 
> 
> pip would be perfectly happy, checking the hash via Google would turn
> up a mismatch.

I said “meaningful”. Almost nobody is going to ever bother googling it and
the likelihood that someone is able to MITM *you* specifically is far lesser
than the likelihood that someone is going to MITM one of the cdecimal users.

Additionally your messages aren’t signed and email isn’t an authenticated
profile so if someone was able to get your password they could simply spoof
and email from you to the mailing list with new hashes, or edit out the description
telling people to go google some stuff.

-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/python-dev/attachments/20140508/0f171a61/attachment.sig>

More information about the Python-Dev mailing list