On Mar 13, 2013, at 12:54 PM, Tres Seaver <tsea...@palladion.com> wrote:

> Signed PGP part
> On 03/12/2013 03:57 PM, holger krekel wrote:
> > Nobody should be lead to think that PYPI is a trusted or reviewed
> > source of software even if we got rid of external hosting completely.
> 
> Amen.  I still boggle at the amount of "sky is falling" stuff here over
> MITM / external links / whatever, given the potential damaage from
> explicitly malicious uploads (trojans, viruses, whatever).  Package
> signing might help here, but only for consumers who willing to think hard
> enough about the problem to manage a web of trust (frankly, a vanishingly
> small minority).

Really now? Let's see I can easily protect against malicous uploads by only 
installing from trusted authors. I cannot easily prevent a MITM or a 
compromised external host if the tools don't protect me against it. Without the 
tooling and infrastructure moving to close this gap the only way to do it is to 
not use that tooling or infrastructure at all. Namely even if the author of the 
package is myself I cannot be secure installing it using the current toolchain 
and infrastructure unless I bend over backwards to make sure that no 
installable link appears anywhere in my long description, and I don't have a 
homepage, and I don't have a download url.

> 
> And then there are these problems:
> 
> - - Backward-imcompatible releases (even those which make appropriate
>   signals in their version numbers).
> 
> - - Removal of distributions / releases / projects.
> 
> - - Re-upload of new distributions which sliently replace previous
>   distributions *of the same release* ("Yes, Virginia, there are
>   people out there who do this").
> 
> which are deal-killers for the folks who want always-on, reliable,
> repeatable, automatic installation from PyPI (instead of creating their
> own indexes).
> 
> Adding HTTPS or removing external links does nothing to mitigate those
> issues.

Yes there are other problems, so let's just throw our hands in the air and say 
fuck it instead of iteratively working to secure the system.

> 
> 
> Tres.
> - -- 
> ===================================================================
> Tres Seaver          +1 540-429-0999          tsea...@palladion.com
> Palladion Software   "Excellence by Design"    http://palladion.com
> 
> 
> _______________________________________________
> Catalog-SIG mailing list
> Catalog-SIG@python.org
> http://mail.python.org/mailman/listinfo/catalog-sig

-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

_______________________________________________
Catalog-SIG mailing list
Catalog-SIG@python.org
http://mail.python.org/mailman/listinfo/catalog-sig

Reply via email to