On Tue, Feb 05, 2013 at 10:18 -0500, Donald Stufft wrote: > On Tuesday, February 5, 2013 at 10:14 AM, holger krekel wrote: > > Transporting almost all externally reachable packages to be locally pypi > > served is also kind of a low hanging fruit, although probably slightly > > higher hanging than SSL :) The point is that we can have some control over > > those packages once we have them - so we can delete them if they are > > reported > > to be malicious independently of maintainer reachability. > > > > We have no way to validate the package we are downloading is the accurate one, > we should not infer trust/validation that doesn't exist.
MITM attacking any of the many world-wide pypi/easy_install downloads from external sites is much easier than tampering a few one-time downloads (verified against each other) for pypi.python.org's serving purposes. By contrast, changing client-side tools and defaults is going to take much longer and will not reach everybody. IOW, i believe that improving the serving side good low hanging fruit. > > No, because a signature can only be created by the original author for > > a particular file (his upload), not from the download site or a > > MITM-attacker for a different file. > > > > > > This assumes we know what the correct key is. If we don't then we > have no way to validate that the signature was created by the author > and not by someone else. Trust is hard. Sure, you need sig-validation infrastructure for this. And Sig-validation is a much higher hanging fruit than using https on pypi.python.org. best, holger > > > > best, > > holger > > > > > > > //Lennart > > > _______________________________________________ > > > Catalog-SIG mailing list > > > Catalog-SIG@python.org (mailto:Catalog-SIG@python.org) > > > http://mail.python.org/mailman/listinfo/catalog-sig > > > > > > > _______________________________________________ > > Catalog-SIG mailing list > > Catalog-SIG@python.org (mailto:Catalog-SIG@python.org) > > http://mail.python.org/mailman/listinfo/catalog-sig > > > > > > _______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
