would be nice: import from archive

Benjamin Niemann pink at odahoda.de
Sat Aug 28 11:22:52 CEST 2004


Alex Martelli wrote:
> Paul Rubin <http://phr.cx@NOSPAM.invalid> wrote:
> 
> 
>>aleaxit at yahoo.com (Alex Martelli) writes:
>>
>>>While the overall way the new import hooks work is well documented in
>>>their PEP, zipimport is admittedly underdocumented.  I suggest peeking
>>
>>OK.  I'll look at the PEP.  I think adding signing is hairy enough
>>that it should have its own round of discussion; should I see about
>>editing the PEP to add something about signing?
> 
> 
> I think that would be an excellent idea.  If it was just about allowing
> import from signed zipfiles it might not be needed, but how best to let
> the user optionally DIS-allow imports from UN-signed files does appear
> to be something requiring a little debate.  An environment variable
> would have the advantage of letting the disallowing work even for the
> early imports that Python does before application code gets control, but
> some people dislike relying on environment variables particularly for
> security-related configuration tasks.  Would it make sense to rely on a
> naming convention instead?  I.e. foo.zip would be unsigned but bar.jar
> would have to be signed or else no go.  This would have the advantage of
> allowing substantial granularity in controlling this.
Isn't the purpose of signatures that the importing program can trust the 
module? If it's implemented as you suggest, an attacker could just 
inject path to an unsigned module into PYTHONPATH to fool a program. How 
about something like

require_signature('mymodule')
import mymodule

or

import mymodule
verify_module(mymodule)

Another question is, where to place (require|verify)_signature() (that 
could also take a CA key (or list of) as optional argument to only allow 
modules signed by this CA). It must not be imported from an untrusted 
module.
The whole signing thing probably make only sense, if python and it's 
stdlib can be trusted (=signed).

Or am I missing other useful applications of signed archives?


> 
> Side question, does module zipfile already have the code to allow
> reading such signed files?  Otherwise a first, uncontentious step, in
> parallel with the PEP, might be a patch to add that ability to zipfile.
> 
> 
> Alex
>   



More information about the Python-list mailing list