We're hoping to be able to fix this by interposing on network communications by these tools. The basic idea is that we'll have a replacement for urllib, urllib2, etc. that adds and validates security cleanly. (Note the replacements will only be used in python package managers.) TUF ( https://www.updateframework.com/ ) will correctly validate security metadata and only pass validly signed information to the package manager for installation.
So the hope is that other than a few lines of code that import the alternative for urllib, urllib2, etc. there won't be any changes. We will be maintaining the security code as a separate project (TUF is used by things other than Python package managers) and will be constantly improving it. Anyways, I won't be able to attend, but I will try to get a student to show a demo in the hallways at PyCon to show what we mean... Thanks, Justin On Sat, Feb 9, 2013 at 6:28 PM, Jesse Noller <[email protected]> wrote: > > > On Feb 9, 2013, at 6:13 PM, Stephen Thorne <[email protected]> wrote: > > > Hello, > > > > One of my concerns with the recent pip dramas that have seen some > excellent and timely action from catalog-sig and others, is that > 'setuptools' is still widely distributed and used instead of distribute/pip. > > Well, lets back up: these aren't pip specific problems: just about every > client side tool for installing from pypi suffers from lax security. > > > > > Setuptools either needs to be sunset, notices put on pypi, warnings > given to its users, out of linux distros, or it has to upgraded to be > feature compatible with the security updates. > > > > That's a strong statement I've made, but I feel strongly that something > has to be done. I would like to solicit opinions here before an action plan > is composed. > > This is a bit of a question mark to me: the reality is that > easy_install/setup tools usage is probably still dramatically higher than > that of more modern tooling. That, and AFAIK, there are still features of > them that the alternatives do not support (binary eggs, which are a must > for windows). > > This leaves us at the point where they can not be sunset unless the "other > tools" grow the features of setuptools/easy_install or we (the collective > we) take on the burden of updating that tool chain to support secure > installations. > > Just patching them for security fixes seems like an "easy" task; the > bigger question is how to do that only without further feature addition and > getting a release out the door? > > Jesse > _______________________________________________ > Catalog-SIG mailing list > [email protected] > http://mail.python.org/mailman/listinfo/catalog-sig >
_______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
