> On Nov 14, 2014, at 7:48 AM, Matthias Runge <mru...@redhat.com> wrote: > > On 13/11/14 19:11, Donald Stufft wrote: > >> As far as I’m aware npm supports TLS the same as pip does. That secures the >> transport between the end users and the repository so you can be assured >> that there is no man in the middle. Security wise npm (and pip) are about >> ~95% (mad up numbers, but you can get the gist) of the effectiveness as the >> OS package managers. > > Oh, e.g rpm allows packages to be cryptographically signed, and > depending on your systems config, that is enforced. This is quite > different from just tls'ing a connection.
You do realize that TLS provides cryptographic proof of authenticity and integrity just like PGP does right? (It also provides the cool benefit of privacy which PGP signing does not). Generally even with PGP signing you still have a number of online keys sitting on servers which are able to sign packages and the tooling will accept their signatures. The essential difference is basically, with TLS you depend on the web server to not be compromised, with PGP signing you depend on the build server to not be compromised. In theory you *can* use PGP signing in a way that all of the signing keys are offline, however this requires having a person manually sign all artifacts that are created (and even then, you'd want them to also generate said artifacts to ensure that they were not compromised). However in the real world, most (if not all) systems involve online keys. All this isn't to say that TLS is 100% as good as using something like PGP for signatures though. PGP does have some good benefits, the major one being that it "travels" better/easier/at all. For instance a PGP signature can be transfered alongside a package file and hosted on untrusted mirrors while relying on TLS means that you *must* trust the machine from which you're getting the files from. TLS is a fairly decent way of securing a package infrastructure though, it prevents all of the major attacks that PGP signing does in practice but it moves the "high value" target from the build machines to the web servers and makes mirroring require trusting the mirror. --- Donald Stufft PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA _______________________________________________ OpenStack-dev mailing list OpenStackfirstname.lastname@example.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev