On Tuesday, February 12, 2019, Eric Peterson < epeter...@interactivebrokers.com> wrote:
> > [...]. I am wondering if there is a programmatic way to access the SHA-256 > for a file (besides just scraping the web page)? Ideally there would be > some way to construct a URL based on the name of the file that, when > called, would return the fingerprint. Because you'd be retrieving the SHA-256 over the same channel as the release archive and said checksum is not signed, the SHA-256 should not be considered sufficient for ensuring release integrity. (Because if the bad guy is MITM'ing the release archive retrieval, they could also be MITM'ing the SHA-256 retrieval) Ways to mitigate such risk: - retrieve SHA-256 cryptographic hash checksums over a different channel - cryptographically sign the SHA-256 checksums with a key and retrieve the corresponding key over a different channel Re: GPG and PyPI: https://github.com/pypa/warehouse/issues/3810#issuecomment-405975460 >From https://python-security.readthedocs.io/packages.html#pypi : > - PEP 458 – Surviving a Compromise of PyPI (27-Sep-2013) > - PEP 480 – Surviving a Compromise of PyPI: The Maximum Security Model (8-Oct-2014) > - Making PyPI security independent of SSL/TLS by Nick Coghlan ... The Update Framework (TUF) is in part derived from Thandy (the tor updater). There's an automotive derivative of TUF called Uptane. https://theupdateframework.github.io/ "Roadmap update for TUF support" https://github.com/pypa/warehouse/issues/5247 "TUF deployment roadmap for PyPI" https://github.com/theupdateframework/tuf/issues/816# SHA-256 is not sufficient. GPG was removed because insufficient. Does TUF need funding, person-hours, new code, or code-review? > Thanks, > Eric > -- > Distutils-SIG mailing list -- distutils-sig@python.org > To unsubscribe send an email to distutils-sig-le...@python.org > https://mail.python.org/mailman3/lists/distutils-sig.python.org/ > Message archived at https://mail.python.org/archives/list/distutils-sig@ > python.org/message/FLNOENK2525RMHGL7SV2SBUXKSOJHSEZ/ >
-- Distutils-SIG mailing list -- distutils-sig@python.org To unsubscribe send an email to distutils-sig-le...@python.org https://mail.python.org/mailman3/lists/distutils-sig.python.org/ Message archived at https://mail.python.org/archives/list/distutils-sig@python.org/message/YT4CDSHIOWUN6W5SF7NY5TCLJ5TXFWRF/
