On 12 April 2018 at 07:01, Paul Moore <p.f.mo...@gmail.com> wrote: > HTTPS access to the index server is fundamental to pip - if an > attacker can subvert that, they don't need to mess with a message, > they can just replace packages. So I don't see that displaying a > message that's available from that same index server is an additional > vulnerability, surely? But I'm not a security expert - I'd defer to > someone like Donald to comment on the security aspects of any proposal > here.
Right now it doesn't create any additional vulnerabilities, since we're relying primarily on HTTPS for PyPI -> installer security. However, that changes once PEP 458 gets implemented, as that will switch the primary package level security mechanism over to TUF, which includes a range of mechanisms designed to detect tampering with the link to PyPI (including freeze attacks that keep you from checking for new packages, or attempting to lie about which versions are available). So the scenario we want to avoid is one where an attacker can present a notice that says "Please ignore that scary security warning your installer is giving you, we're having an issue with the metadata generation process on the server. To resolve the problem, please force upgrade pip". That's a solvable problem (e.g. only check for the MOTD *after* successfully retrieving a valid metadata file), but it's still something to take into account. Cheers, Nick. -- Nick Coghlan | ncogh...@gmail.com | Brisbane, Australia _______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig