Okay, I took a quick look and posted a bunch of comments in the document. I took a more thorough look at the early sections than the later.
You've done a nice job with the design overall and clearly thought through a lot of security issues. I did point several places where I either don't understand something or there might be a potential to improve the security. After reading the doc, I'm not clear on how mirrors / CDNs / separate file servers will be used in the system and what sort of trust you are placing in them. In particular, much of the text about PyPI may or may not apply to mirrors. These are a major headache from a security standpoint and something we've really tried to minimize in TUF. I've also thought more about how TUF would address the issues you've mentioned. I believe TUF addressed the concerns mentioned in the doc (except of course things like password storage which are PyPI website changes). We also all of the proposed future enhancements mentioned at the end of the document. I must confess I'm still digging out after my deadline, so my responses may be delayed. Thanks, Justin On Sat, Feb 9, 2013 at 4:23 PM, Giovanni Bajo <[email protected]> wrote: > Hello, > > my proposal for fixing PyPI and pip security is here: > > https://docs.google.com/a/develer.com/document/d/1DgQdDCZY5LiTY5mvfxVVE4MTWiaqIGccK3QCUI8np4k/edit# > > I tried to sum up the discussions we had here last week, elaborating on > Heimes' proposal by simplifying it where I thought the additional steps > wouldn't guarantee additional security. At this point, the proposal does > not include a central, uber-master online GPG signing key to be stored on > PyPI, which is IMO quite hard to handle correctly. > > Comments are welcome! > -- > Giovanni Bajo :: [email protected] > Develer S.r.l. :: http://www.develer.com > > My Blog: http://giovanni.bajo.it > > > _______________________________________________ > Catalog-SIG mailing list > [email protected] > http://mail.python.org/mailman/listinfo/catalog-sig > >
_______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
