On Sun, Feb 10, 2013 at 7:23 AM, Giovanni Bajo <ra...@develer.com> wrote: > Hello, > > my proposal for fixing PyPI and pip security is here: > https://docs.google.com/a/develer.com/document/d/1DgQdDCZY5LiTY5mvfxVVE4MTWiaqIGccK3QCUI8np4k/edit# > > I tried to sum up the discussions we had here last week, elaborating on > Heimes' proposal by simplifying it where I thought the additional steps > wouldn't guarantee additional security. At this point, the proposal does not > include a central, uber-master online GPG signing key to be stored on PyPI, > which is IMO quite hard to handle correctly.
I think the parts related to improving the HTTPS/SSL based security are solid, but for the other aspects of secure updates, integrating TUF (https://www.updateframework.com/) into the PyPI based distribution infrastructure sounds like the best available option for enhancing the end-to-end integrity checking. TUF has a comparatively well-developed threat model, and systematically covers many of the attack vectors discussed in the past few day (including provision of old, known vulnerable, versions). I have more faith in our collective ability to build a usable *and* secure cross-platform distribution infrastructure on TUF (which already has many of the more difficult security aspects covered), along with devising a migration path from our existing distribution infrastructure, than I do in our ability to come up with something completely new. Regards, Nick. -- Nick Coghlan | ncogh...@gmail.com | Brisbane, Australia _______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig