On Tue, Feb 05, 2013 at 15:46 +0100, Giovanni Bajo wrote: > Il giorno 05/feb/2013, alle ore 15:06, Holger Krekel > <[email protected]> ha scritto: > > > In the end, however, none of this prevents MITM attacks between a > > downloader and pypi.python.org. Or between the uploader and > > pypi.python.org (using basic auth over http often). Signing methods like > > https://wiki.archlinux.org/index.php/Pacman-key are key. If a signature is > > available (also at a download_url site), then we can exclude undetected > > tampering. And there might not be a need to break currently working > > package releases. > > A signature is not enough; if you don't have a secure channel, > signatures can be replayed. Eg: if you install through an unsecure > channel and you just verify GPG signatures on the package, I can MITM > you and serve you an older, vulnerable package version (with its > correct signature), and then go exploit that vulnerability.
Point taken. I guess unless someone sits down and writes a PEP-ish path for fortification, it's gonna be hard to assess viability and resilience against the several attack vectors which should be sorted/prioritized. Or is somebody on that already? (there were hints of some background discussions - not sure that's helping much as most attack vectors against the python packaging ecosystem are kind of well known or easy to guess after a bit of research and experimentation). best, holger > -- > Giovanni Bajo :: [email protected] > Develer S.r.l. :: http://www.develer.com > > My Blog: http://giovanni.bajo.it > > > > > > _______________________________________________ > Catalog-SIG mailing list > [email protected] > http://mail.python.org/mailman/listinfo/catalog-sig _______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
