On Tue, Feb 05, 2013 at 16:07 +0100, Lennart Regebro wrote: > On Tue, Feb 5, 2013 at 3:06 PM, Holger Krekel <holger.kre...@gmail.com> wrote: > > I wouldn't assume that maintainers are easily reachable. I've contacted at > > least three people of different (>1K downloads) packages which never > > responded. > > We really can't do very much about abandoned packages. > > > And of course, i didn't mean to imply that already installed packages would > > suddenly break. Rather that installation instructions like "use pip install > > X" will just fail with some dependency "Y" not getting installed. Or > > getting installed in some random lower version which might contain evil bugs > > (including security bugs). For exmaple, the referenced "lockfile" project > > has a "0.2" release on pypi, but is currently at 0.9. > > There is no way around that problem, except other people than the > maintainers uploading the software to PyPI. That's certainly an > option, and I have no good argument against it, but I don't like it. > (Obviously it can only be done for software marked with relevant licenses). > > > In the end, however, none of this prevents MITM attacks between a downloader > > and pypi.python.org. > > Sure, and that's another problem, and the low-hanging fruit there is > using https.
Transporting almost all externally reachable packages to be locally pypi served is also kind of a low hanging fruit, although probably slightly higher hanging than SSL :) The point is that we can have some control over those packages once we have them - so we can delete them if they are reported to be malicious independently of maintainer reachability. > > If a signature is available (also at a download_url site), then we can > > exclude undetected > > tampering. > > If they can change the file at the download_url site, then they surely > can change the signature? No, because a signature can only be created by the original author for a particular file (his upload), not from the download site or a MITM-attacker for a different file. best, holger > //Lennart > _______________________________________________ > Catalog-SIG mailing list > Catalog-SIG@python.org > http://mail.python.org/mailman/listinfo/catalog-sig > _______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
