Once PEP 458 is put in place, it may be a good idea to make it so that all external links are verifiable from a security standpoint. (Verifiable in this sense means the devel uploaded a public key to PyPI that they used to sign the project metadata.)
We're hoping that once PEP 458 is integrated, PyPI / Warehouse would start to politely ask all developers (internal and external) to add a signing key for their project. While the design will provide protection for projects without signing keys, much better protections exist if they are used. However, those protections are mitigated for externally hosted projects... Perhaps it would be good to require a project key for external packages since their packages lose many of the other protections against mix-and-match attacks, timeliness attacks, etc. Thanks, Justin On Sun, May 11, 2014 at 8:47 AM, Donald Stufft <don...@stufft.io> wrote: > > On May 11, 2014, at 3:58 AM, Paul Moore <p.f.mo...@gmail.com> wrote: > > > On 11 May 2014 08:38, Nick Coghlan <ncogh...@gmail.com> wrote: > >> This confusion can likely be resolved by giving the obvious "allow > external" > >> name to the behaviour most users will want, and a more obscure name like > >> "allow verifiable external" to the specialised behaviour folks like > Stefan & > >> MAL rely on. > > > > I'm struggling to reconcile Donald's assertion (based, I believe, on > > his data from PyPI) that there are only 25 or so packages on PyPI that > > are external but safe, and he's hot familiar with any of them, against > > the comment that Stefan and MAL are affected by this change. > > > > https://pypi.python.org/simple/cdecimal/ has no links - maybe because > > Stefan withdrew them at the start of this debate. > > cdecimal used to but Stefan removed them and then posted his message > to python-dev. > > > https://pypi.python.org/simple/egenix-mx-base/ has verifiable external > > links. I'm pretty surprised that Donald hasn't heard of mx-base. > > egenix-mx-base does not have verifiable external links.Verifiable external > links must be both directly linked to from the /simple/ index page and > must include a hash. egenix-mx-base does not do this. > > > > > Donald, maybe you could post the names of those 25 or so packages? > > I’d have to recompile the list since I (stupidly) didn’t keep it around. > > > > > Download counts as a gross measure of popularity would be useful here, > > but AIUI the current counts are unreliable. Is there any work going on > > to get better download counts? That would really help in exercises > > like this. > > Here’s the thing, we can’t use download counts here because we don’t > host those files. > > ----------------- > Donald Stufft > PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 > DCFA > > > _______________________________________________ > Distutils-SIG maillist - Distutils-SIG@python.org > https://mail.python.org/mailman/listinfo/distutils-sig > >
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
