Hello everyone, Donald, Justin and I have co-authored a PEP that recommends a comprehensive security solution to allow PyPI to secure its users against a wide array of compromises.
The gist of the PEP is that the changes to PyPI are essentially invisible to users and developers unless an attack is underway. The key design ideas are as follows: * The main PyPI server will continue running as it is now, exposing HTTPS and legacy XML-RPC operations. * The next-generation PyPI server (Warehouse) will be exposing new API as well as TUF metadata to clients. * Developers do not have to opt-in to secure their projects with their own TUF metadata. In that case, PyPI will sign these "unclaimed" projects on their behalf. However, unclaimed projects will not be secure against a PyPI compromise. * To protect against a PyPI compromise, developers may choose to register their public keys with Warehouse and upload their own signed TUF metadata about their projects. * Therefore, developers do not have to concern themselves with key management in case they leave their projects as "unclaimed". When they do claim their projects, they simply have to register their keys once with Warehouse. After that, they may delegate signing for distributions as they wish without depending on Warehouse. * Clients will be instructed to first search for a project in the more secure claimed metadata (protected by offline keys) before looking for it in the less secure unclaimed metadata (protected by online keys). * Whether or not a project is claimed or unclaimed, all projects will be available through continuous delivery. * Consistent snapshots allow clients and mirrors to safely read metadata and data despite the addition of new files to PyPI. * It is efficient to securely install or update a project despite hundreds of thousands of files. The official PEP is here: http://www.python.org/dev/peps/pep-0458/ Whereas latest revisions to the PEP are here: https://github.com/theupdateframework/pep-on-pypi-with-tuf We welcome your feedback and suggestions. Thanks, The PEP 458 team
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig