[Pythonmac-SIG] Package Manager idea, adding a URL scheme

Glenn Andreas gandreas at delver.com
Fri Oct 3 15:08:36 EDT 2003 

Taking a step back here for a second, I think we're confusing a 
couple of things (at least different people seem to have different 
underlying assumptions/ideas/points of view here).

When talking security, you need to define what it is that you are 
trying to secure in the first place, and what do you trust and what 
is beyond your control (and untrusted).  It's not clear that we've 
done that yet...

Is PackMan "trusted"?  For example, are we trying to address "what if 
PackMan is compromised"?  Because if it can be compromised, and we 
are assuming it was trusted in the first place, all the other layers 
of authentication, signatures, certificates, etc... are probably 
meaningless.

I think the whole idea is to let the user "know" if the package that 
they just installed is really what they think they just installed, 
especially if it came from an untrusted host (e.g., I installed 
package Foo from Foobar.com, but want to make sure nobody hacked 
Foobar.com and installed an incorrect version of the Foo package), 
right?

Certainly if we want to make sure that PackMan is trusted (and 
remains so), running any sort of code from Foo to get a version 
number would allow PackMan to become compromised.

It is probably reasonable to assume that SSL is trusted (so a 
previously mentioned "man in the middle" attack shouldn't be possible 
with SSL), but is it reasonable to assume that your web-browser is 
trusted?  If PackMan is trusted (and URL access or WebKit support 
it), could it just do SSL itself?

If we look at PyCrypto, this would require that whatever used it be 
"trusted" (since otherwise something could subvert the authentication 
process and just fake the call to PyCrypto and return "why, yes, it 
is valid").  This really would require that whatever told  the user 
that it was an authentic Foo package never run any code from Foo to 
get the version number.

On the other hand, if PackMan were trusted (as were the MD5 modules), 
do a simple MD5 checksum of the package, and then getting the 
"official" checksum from a trusted host (python.org) with a trusted 
transport mechanism (SSL) and comparing them should be sufficient 
(though something a bit stronger than MD5 might be desirable).

Just trying to look at things from a paranoid internet security mindset...

-- 
Glenn Andreas                      gandreas at delver.com
Theldrow, Blobbo, Cythera, oh my!
Be good, and you will be lonesome

More information about the Pythonmac-SIG mailing list