Jesse Noller gmail.com> writes:
> It's less about keeping "me" happy: I'm fine with a model that if GPG exists,
> it's used, silently (not linked against in any way though in core Python -
> license incompatible).
Right, but it may be OK for pip (or other Python tool with a non-GPL-compatible
li
On Thu, Feb 7, 2013 at 3:06 PM, Justin Cappos wrote:
> We'd like to integrate TUF ( https://www.updateframework.com/ ) into PyPI to
> help out if it makes sense. In theory the integration should be
> straightforward. It's basically just importing a few libraries in the
> client tools and askin
Il giorno 07/feb/2013, alle ore 23:26, Nick Coghlan ha
scritto:
>
> On 8 Feb 2013 02:43, "Giovanni Bajo" wrote:
> >
> > Il giorno 07/feb/2013, alle ore 17:21, Donald Stufft
> > ha scritto:
> >
> >> On Thursday, February 7, 2013 at 10:50 AM, Giovanni Bajo wrote:
> >>
> >> 1. If we're going to
On 8 Feb 2013 02:43, "Giovanni Bajo" wrote:
>
> Il giorno 07/feb/2013, alle ore 17:21, Donald Stufft <
donald.stu...@gmail.com> ha scritto:
>
>> On Thursday, February 7, 2013 at 10:50 AM, Giovanni Bajo wrote:
>>
>> 1. If we're going to implicitly trust PyPI when it says that key X is
valid for pac
Really enjoyed the (extended version with more attacks / issues:
http://isis.poly.edu/~jcappos/papers/cappos_pmsec_tr08-02.pdf ) paper,
especially how trust delegation is handled by having the repository track
keys that are then used to delegate trust to individual developers, and how
revocation is
Il giorno 07/feb/2013, alle ore 17:21, Donald Stufft
ha scritto:
> On Thursday, February 7, 2013 at 10:50 AM, Giovanni Bajo wrote:
>
> 1. If we're going to implicitly trust PyPI when it says that key X is valid
> for package Y,
> do we really gain much here? If we're trusting PyPI then we
On Thursday, February 7, 2013 at 10:50 AM, Giovanni Bajo wrote:
1. If we're going to implicitly trust PyPI when it says that key X is valid for
package Y,
do we really gain much here? If we're trusting PyPI then we only really
need secure
ingress and egress neither of which need packagin
Il giorno 07/feb/2013, alle ore 16:38, "M.-A. Lemburg" ha
scritto:
> On 07.02.2013 16:04, Giovanni Bajo wrote:
>> Il giorno 07/feb/2013, alle ore 15:35, "M.-A. Lemburg" ha
>> scritto:
>>
>>> On 07.02.2013 15:13, Giovanni Bajo wrote:
Il giorno 07/feb/2013, alle ore 12:55, "M.-A. Lemburg"
Il giorno 07/feb/2013, alle ore 16:16, Jesse Noller ha
scritto:
>
>
> On Thursday, February 7, 2013 at 10:04 AM, Giovanni Bajo wrote:
>
>> Il giorno 07/feb/2013, alle ore 15:35, "M.-A. Lemburg" > (mailto:m...@egenix.com)> ha scritto:
>>
>>> On 07.02.2013 15:13, Giovanni Bajo wrote:
Il g
On 07.02.2013 16:04, Giovanni Bajo wrote:
> Il giorno 07/feb/2013, alle ore 15:35, "M.-A. Lemburg" ha
> scritto:
>
>> On 07.02.2013 15:13, Giovanni Bajo wrote:
>>> Il giorno 07/feb/2013, alle ore 12:55, "M.-A. Lemburg" ha
>>> scritto:
> Can you please describe an attack that can be mounted
On 02/07/2013 09:19 AM, Jim Fulton wrote:
> On Wed, Feb 6, 2013 at 3:15 AM, Nick Coghlan wrote:
>> As folks may be aware, I am moderating a panel called "Directions in
>> Packaging" on the Saturday afternoon at PyCon US.
>>
>> Before that though, I am also organising what I am calling a
>> "Pack
On Wed, Feb 6, 2013 at 3:15 AM, Nick Coghlan wrote:
> As folks may be aware, I am moderating a panel called "Directions in
> Packaging" on the Saturday afternoon at PyCon US.
>
> Before that though, I am also organising what I am calling a
> "Packaging & Distribution Mini-Summit" as an open space
On Thursday, February 7, 2013 at 10:04 AM, Giovanni Bajo wrote:
> Il giorno 07/feb/2013, alle ore 15:35, "M.-A. Lemburg" (mailto:m...@egenix.com)> ha scritto:
>
> > On 07.02.2013 15:13, Giovanni Bajo wrote:
> > > Il giorno 07/feb/2013, alle ore 12:55, "M.-A. Lemburg" > > (mailto:m...@egenix.c
Il giorno 07/feb/2013, alle ore 15:35, "M.-A. Lemburg" ha
scritto:
> On 07.02.2013 15:13, Giovanni Bajo wrote:
>> Il giorno 07/feb/2013, alle ore 12:55, "M.-A. Lemburg" ha
>> scritto:
Can you please describe an attack that can be mounted against PyPI/pip
that is prevented by having
Thrilling. I will be there with bells on and a laundry list in hand.
Seriously - this is becoming a big-ticket item for the OpenStack
Infrastructure team - and I think there are some really big wins to be
had without needing to write distutils4 :) So thanks for organizing this!
Monty
On 02/06/20
On Wed, Feb 06, 2013 at 18:15 +1000, Nick Coghlan wrote:
> As folks may be aware, I am moderating a panel called "Directions in
> Packaging" on the Saturday afternoon at PyCon US.
>
> Before that though, I am also organising what I am calling a
> "Packaging & Distribution Mini-Summit" as an open s
+1 on listening to the computer science professor.
On Thu, Feb 7, 2013 at 9:06 AM, Justin Cappos wrote:
> There are a whole host of subtle problems that you can get into with
> security for package distribution.
>
> For some issues with handling metadata in the presence of a MITM that have
> be
On 07.02.2013 15:13, Giovanni Bajo wrote:
> Il giorno 07/feb/2013, alle ore 12:55, "M.-A. Lemburg" ha
> scritto:
>>> Can you please describe an attack that can be mounted against PyPI/pip that
>>> is prevented by having this additional signature?
>>
>> This is not about preventing some kind of a
Il giorno 07/feb/2013, alle ore 12:55, "M.-A. Lemburg" ha
scritto:
> On 07.02.2013 12:49, Giovanni Bajo wrote:
>> Il giorno 07/feb/2013, alle ore 11:59, "M.-A. Lemburg" ha
>> scritto:
>>
>>> Sorry, if this has already been mentioned, but we could make GPG
>>> signing very user friendly for th
There are a whole host of subtle problems that you can get into with
security for package distribution.
For some issues with handling metadata in the presence of a MITM that have
been fixed in most of the popular Linux package managers:
http://isis.poly.edu/~jcappos/papers/cappos_mirror_ccs_08.pdf
On Thursday, February 7, 2013 at 5:32 AM, Jesse Noller wrote:
> That tutorial would have to be amazingly easy, and GPG could never be a hard
> requirement. GPG is still annoying, clunky and painful enough that it would
> just become a nuisance and people would move elsewhere.
>
> So adding suppo
On 07.02.2013 12:49, Giovanni Bajo wrote:
> Il giorno 07/feb/2013, alle ore 11:59, "M.-A. Lemburg" ha
> scritto:
>
>> Sorry, if this has already been mentioned, but we could make GPG
>> signing very user friendly for the PyPI users by:
>>
>> - having the PyPI server verify the uploaded file agai
Il giorno 07/feb/2013, alle ore 11:58, Jesse Noller ha
scritto:
>
>
> On Feb 7, 2013, at 5:45 AM, Giovanni Bajo wrote:
>
>> Il giorno 07/feb/2013, alle ore 11:32, Jesse Noller ha
>> scritto:
>>
>>>
>>>
>>> On Feb 7, 2013, at 5:25 AM, Giovanni Bajo wrote:
>>>
Il giorno 07/feb/2013
Il giorno 07/feb/2013, alle ore 11:59, "M.-A. Lemburg" ha
scritto:
> Sorry, if this has already been mentioned, but we could make GPG
> signing very user friendly for the PyPI users by:
>
> - having the PyPI server verify the uploaded file against the
> registered GPG key of the uploader
>
>
On Wed, Feb 6, 2013 at 9:57 PM, Zygmunt Krynicki
wrote:
>> Right, but then we are again back to trusting a central authority,
>> in this case plone.org. If we can trust plone.org, why can't we
>> trust Python.org?
>
> Because presumably plone foundation looks at the dependency list and
> cares. No
On Thu, Feb 7, 2013 at 11:32 AM, Jesse Noller wrote:
> That tutorial would have to be amazingly easy, and GPG could never be a hard
> requirement. GPG is still annoying, clunky and painful enough that it would
> just become a nuisance and people would move elsewhere.
*Using* gpg should not be a r
On 7 Feb, 2013, at 11:58, Jesse Noller wrote:
>
>
> Not really - I know that if we're going to do crypto, the first rule of
> crypto is "don't make your own crypto" - I've just worked with pgp/openpgp
> enough to realize its usability is astoundingly atrocious.
>
But not so bad that it can't
Sorry, if this has already been mentioned, but we could make GPG
signing very user friendly for the PyPI users by:
- having the PyPI server verify the uploaded file against the
registered GPG key of the uploader
- have the PyPI server sign the uploaded file using its own
key (so you have two
On Feb 7, 2013, at 5:45 AM, Giovanni Bajo wrote:
> Il giorno 07/feb/2013, alle ore 11:32, Jesse Noller ha
> scritto:
>
>>
>>
>> On Feb 7, 2013, at 5:25 AM, Giovanni Bajo wrote:
>>
>>> Il giorno 07/feb/2013, alle ore 11:08, Ronald Oussoren
>>> ha scritto:
>>>
On 6 Feb, 2013,
On 7 Feb, 2013, at 11:51, Giovanni Bajo wrote:
>
>>
>>>
What I haven't seen (or have overlooked) in the entire discussion is what
we're trying to protect against. The thread kicked of due to a report of
how to perform MITM attacks against PyPI, but it seems that some of the
Il giorno 07/feb/2013, alle ore 11:45, Ronald Oussoren
ha scritto:
>
> On 7 Feb, 2013, at 11:25, Giovanni Bajo wrote:
>
>> Il giorno 07/feb/2013, alle ore 11:08, Ronald Oussoren
>> ha scritto:
>>
>>>
>>> On 6 Feb, 2013, at 22:15, Daniel Holth wrote:
>>>
On Wed, Feb 6, 2013 at 4:05
Il giorno 07/feb/2013, alle ore 11:32, Jesse Noller ha
scritto:
>
>
> On Feb 7, 2013, at 5:25 AM, Giovanni Bajo wrote:
>
>> Il giorno 07/feb/2013, alle ore 11:08, Ronald Oussoren
>> ha scritto:
>>
>>>
>>> On 6 Feb, 2013, at 22:15, Daniel Holth wrote:
>>>
On Wed, Feb 6, 2013 at 4:0
On 7 Feb, 2013, at 11:25, Giovanni Bajo wrote:
> Il giorno 07/feb/2013, alle ore 11:08, Ronald Oussoren
> ha scritto:
>
>>
>> On 6 Feb, 2013, at 22:15, Daniel Holth wrote:
>>
>>> On Wed, Feb 6, 2013 at 4:05 PM, Jesse Noller wrote:
>>>
>>>
>>> On Wednesday, February 6, 2013 at 4:02 PM, D
On Feb 7, 2013, at 5:25 AM, Giovanni Bajo wrote:
> Il giorno 07/feb/2013, alle ore 11:08, Ronald Oussoren
> ha scritto:
>
>>
>> On 6 Feb, 2013, at 22:15, Daniel Holth wrote:
>>
>>> On Wed, Feb 6, 2013 at 4:05 PM, Jesse Noller wrote:
On Wednesday, February 6, 2013 at 4:02
Il giorno 07/feb/2013, alle ore 11:08, Ronald Oussoren
ha scritto:
>
> On 6 Feb, 2013, at 22:15, Daniel Holth wrote:
>
>> On Wed, Feb 6, 2013 at 4:05 PM, Jesse Noller wrote:
>>
>>
>> On Wednesday, February 6, 2013 at 4:02 PM, Donald Stufft wrote:
>>
>> > On Wednesday, February 6, 2013 at
On Feb 6, 2013, at 10:20 PM, Richard Jones wrote:
> On 7 February 2013 13:40, wrote:
>>
>> Zitat von Jesse Noller :
>>
>>
>>> I don't think we need to transfer the domain to the PSF, but it should
>>> definitely be hosted on our cluster at OSU
>>
>>
>> It should continue to live on the v
On 6 Feb, 2013, at 22:15, Daniel Holth wrote:
> On Wed, Feb 6, 2013 at 4:05 PM, Jesse Noller wrote:
>
>
> On Wednesday, February 6, 2013 at 4:02 PM, Donald Stufft wrote:
>
> > On Wednesday, February 6, 2013 at 4:01 PM, Vinay Sajip wrote:
> > > M.-A. Lemburg egenix.com (http://egenix.com)> w
Zitat von Jesse Noller :
It's user uploaded content we already know to be unsafe, that we're
putting on a different domain. Why host it on the same box when we
already know VM isolation reduces the attack surface of each VM?
PyPI is fundamentally about user-uploaded content. The regular re
38 matches
Mail list logo