A MOTD from anything but a signed package would be user-supplied input. Shell/terminal command ^[escaping would be necessary: https://stackoverflow.com/questions/6534556/how-to-remove-and-all-of-the-escape-sequences-in-a-file-using-linux-shell-sc
Impact: Are additional requests and variable messages really necessary? Can static error messages simply say 'check /news for more information'? (thus saving: millions of requests per year and additional MOTD package signing overhead and bandwidth)? On Thursday, April 12, 2018, Justin Cappos <jcap...@nyu.edu> wrote: > FYI: TUF has a custom metadata field in the targets metadata that could > potentially be used for this purpose. We can explain more if there is > interest... > > On Thu, Apr 12, 2018 at 8:26 AM, Nathaniel Smith <n...@pobox.com> wrote: > >> From the TUF perspective it seems like it would be straightforward to >> make the MOTD a "package", whose "contents" is the MOTD text, and that we >> "upgrade" it to get the latest text before displaying anything. >> >> -n >> >> On Thu, Apr 12, 2018, 05:10 Nick Coghlan <ncogh...@gmail.com> wrote: >> >>> On 12 April 2018 at 07:01, Paul Moore <p.f.mo...@gmail.com> wrote: >>> > HTTPS access to the index server is fundamental to pip - if an >>> > attacker can subvert that, they don't need to mess with a message, >>> > they can just replace packages. So I don't see that displaying a >>> > message that's available from that same index server is an additional >>> > vulnerability, surely? But I'm not a security expert - I'd defer to >>> > someone like Donald to comment on the security aspects of any proposal >>> > here. >>> >>> Right now it doesn't create any additional vulnerabilities, since >>> we're relying primarily on HTTPS for PyPI -> installer security. >>> >>> However, that changes once PEP 458 gets implemented, as that will >>> switch the primary package level security mechanism over to TUF, which >>> includes a range of mechanisms designed to detect tampering with the >>> link to PyPI (including freeze attacks that keep you from checking for >>> new packages, or attempting to lie about which versions are >>> available). >>> >>> So the scenario we want to avoid is one where an attacker can present >>> a notice that says "Please ignore that scary security warning your >>> installer is giving you, we're having an issue with the metadata >>> generation process on the server. To resolve the problem, please force >>> upgrade pip". >>> >>> That's a solvable problem (e.g. only check for the MOTD *after* >>> successfully retrieving a valid metadata file), but it's still >>> something to take into account. >>> >>> Cheers, >>> Nick. >>> >>> -- >>> Nick Coghlan | ncogh...@gmail.com | Brisbane, Australia >>> _______________________________________________ >>> Distutils-SIG maillist - Distutils-SIG@python.org >>> https://mail.python.org/mailman/listinfo/distutils-sig >>> >> >> _______________________________________________ >> Distutils-SIG maillist - Distutils-SIG@python.org >> https://mail.python.org/mailman/listinfo/distutils-sig >> >> >
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig