Il giorno 05/feb/2013, alle ore 15:34, Daniel Holth <dho...@gmail.com> ha scritto:
> On Tue, Feb 5, 2013 at 9:28 AM, Donald Stufft <donald.stu...@gmail.com> wrote: > On Tuesday, February 5, 2013 at 9:24 AM, Daniel Holth wrote: >> As long as you are trusting PyPI itself, a PyPI-hosted/signed/timestamped >> SHA2 hash of the file to be downloaded from an external host would be enough >> to detect tampering over time. > > You could do this, still lowers the overall availability of the system which > kinda sucks, and > to actually be sane and secure you'd still need to rework the current method > of trolling for external > urls. >> >> pip could come with a copy of PyPI's ssl certificate, verifying that it was >> identical to the expected cert rather than signed by one of 100s of trusted >> CAs. > > That loses the ability to change PyPI's SSL cert, basically forever and still > doesn't protect MITM against > someone logging into PyPI through a browser. > > Or it could just notify you whenever the SSL certificate changed. > http://tack.io/ lets a site sign its SSL certificate with a key that doesn't > change. Of course doing SSL at all is the priority. The point is that it's not important to get there in the first place. If you want to solve this additional problem (CA vulnerabilites), then there is no reason why pip should use a SSL endpoint with a certificate singed by a public, global CA. Global CAs are used for browsers. pip could connect and use to a SSL webservice using a self-signed CA, and pin that CA forever. My position on the matter is that this issue should be rediscussed after we fix the major problems, one of which is the fact that pip is using HTTP and not HTTPS. There is a pull request here: https://github.com/pypa/pip/pull/789 -- Giovanni Bajo :: ra...@develer.com Develer S.r.l. :: http://www.develer.com My Blog: http://giovanni.bajo.it
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
