Il giorno 06/feb/2013, alle ore 15:56, Lennart Regebro <rege...@gmail.com> ha scritto:
> On Wed, Feb 6, 2013 at 3:38 PM, Giovanni Bajo <ra...@develer.com> wrote: >> That's OK, we can make sure in the design that you will be able to do it. > > A setting in pip to choose the key repository should do it, right? > Supporting a local directory perhaps? > And of course defaulting to PyPI. It's a little bit more than that. You need to configure pip with the equivalent of a dictionary mapping pip/PyPI unique package names and lists of approved GPG fingerprints. Eg: django = [ abcdf1234, 467ab3de ] gevent = [ 9284abcd ] When we say that the proposed design "requires trust on PyPI", we are basically saying that PyPI is holding that information for you, and you're trusting it not to be compromised. Obviously, there are dozens of ways to reduce the probability of a compromise: * Have a secret, per-package security email (different from standard owner/maintainer) where all GPG fingerprint changes are notified (or even better, requested for approval with a link). * Only let the owner change the fingerprint, not the maintainers * Ask for a secondary security password when changing the fingerprints on the website, only used for that and not the for the standard HTTP basic-auth communication * Allow them also to be store in some third-party repository that can be easily queried for a double-check (eg: DNS/DNSSEC records in a project-controlled website) We can elaborate on this forever; at the end of the day, the point is that you need to trust PyPI on that, and we can try to gain that trust by making things exponentially more difficult for an attacker. But I'm perfectly OK with having the possibility to disable trust on PyPI, just like you can remove the default CA trust list from your browser and either whitelist one website at a time (by making phone calls to the controlling corporate of each website and asking them to confirm the certificate fingerprint) or whitelist one CA at a time as a compromise (with the assumption that your web browsing is probably "local" in a way, and thus you actually require trust in a subset of the whole CA bundle). -- Giovanni Bajo :: ra...@develer.com Develer S.r.l. :: http://www.develer.com My Blog: http://giovanni.bajo.it
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
