[Pythonmac-SIG] Package Manager idea, adding a URL scheme
gandreas at delver.com
Fri Oct 3 15:08:36 EDT 2003
Taking a step back here for a second, I think we're confusing a
couple of things (at least different people seem to have different
underlying assumptions/ideas/points of view here).
When talking security, you need to define what it is that you are
trying to secure in the first place, and what do you trust and what
is beyond your control (and untrusted). It's not clear that we've
done that yet...
Is PackMan "trusted"? For example, are we trying to address "what if
PackMan is compromised"? Because if it can be compromised, and we
are assuming it was trusted in the first place, all the other layers
of authentication, signatures, certificates, etc... are probably
I think the whole idea is to let the user "know" if the package that
they just installed is really what they think they just installed,
especially if it came from an untrusted host (e.g., I installed
package Foo from Foobar.com, but want to make sure nobody hacked
Foobar.com and installed an incorrect version of the Foo package),
Certainly if we want to make sure that PackMan is trusted (and
remains so), running any sort of code from Foo to get a version
number would allow PackMan to become compromised.
It is probably reasonable to assume that SSL is trusted (so a
previously mentioned "man in the middle" attack shouldn't be possible
with SSL), but is it reasonable to assume that your web-browser is
trusted? If PackMan is trusted (and URL access or WebKit support
it), could it just do SSL itself?
If we look at PyCrypto, this would require that whatever used it be
"trusted" (since otherwise something could subvert the authentication
process and just fake the call to PyCrypto and return "why, yes, it
is valid"). This really would require that whatever told the user
that it was an authentic Foo package never run any code from Foo to
get the version number.
On the other hand, if PackMan were trusted (as were the MD5 modules),
do a simple MD5 checksum of the package, and then getting the
"official" checksum from a trusted host (python.org) with a trusted
transport mechanism (SSL) and comparing them should be sufficient
(though something a bit stronger than MD5 might be desirable).
Just trying to look at things from a paranoid internet security mindset...
Glenn Andreas gandreas at delver.com
Theldrow, Blobbo, Cythera, oh my!
Be good, and you will be lonesome
More information about the Pythonmac-SIG