>From the TUF perspective it seems like it would be straightforward to make
the MOTD a "package", whose "contents" is the MOTD text, and that we
"upgrade" it to get the latest text before displaying anything.


On Thu, Apr 12, 2018, 05:10 Nick Coghlan <ncogh...@gmail.com> wrote:

> On 12 April 2018 at 07:01, Paul Moore <p.f.mo...@gmail.com> wrote:
> > HTTPS access to the index server is fundamental to pip - if an
> > attacker can subvert that, they don't need to mess with a message,
> > they can just replace packages. So I don't see that displaying a
> > message that's available from that same index server is an additional
> > vulnerability, surely? But I'm not a security expert - I'd defer to
> > someone like Donald to comment on the security aspects of any proposal
> > here.
> Right now it doesn't create any additional vulnerabilities, since
> we're relying primarily on HTTPS for PyPI -> installer security.
> However, that changes once PEP 458 gets implemented, as that will
> switch the primary package level security mechanism over to TUF, which
> includes a range of mechanisms designed to detect tampering with the
> link to PyPI (including freeze attacks that keep you from checking for
> new packages, or attempting to lie about which versions are
> available).
> So the scenario we want to avoid is one where an attacker can present
> a notice that says "Please ignore that scary security warning your
> installer is giving you, we're having an issue with the metadata
> generation process on the server. To resolve the problem, please force
> upgrade pip".
> That's a solvable problem (e.g. only check for the MOTD *after*
> successfully retrieving a valid metadata file), but it's still
> something to take into account.
> Cheers,
> Nick.
> --
> Nick Coghlan   |   ncogh...@gmail.com   |   Brisbane, Australia
> _______________________________________________
> Distutils-SIG maillist  -  Distutils-SIG@python.org
> https://mail.python.org/mailman/listinfo/distutils-sig
Distutils-SIG maillist  -  Distutils-SIG@python.org

Reply via email to