FYI: TUF has a custom metadata field in the targets metadata that could potentially be used for this purpose. We can explain more if there is interest...
On Thu, Apr 12, 2018 at 8:26 AM, Nathaniel Smith <n...@pobox.com> wrote: > From the TUF perspective it seems like it would be straightforward to make > the MOTD a "package", whose "contents" is the MOTD text, and that we > "upgrade" it to get the latest text before displaying anything. > > -n > > On Thu, Apr 12, 2018, 05:10 Nick Coghlan <ncogh...@gmail.com> wrote: > >> On 12 April 2018 at 07:01, Paul Moore <p.f.mo...@gmail.com> wrote: >> > HTTPS access to the index server is fundamental to pip - if an >> > attacker can subvert that, they don't need to mess with a message, >> > they can just replace packages. So I don't see that displaying a >> > message that's available from that same index server is an additional >> > vulnerability, surely? But I'm not a security expert - I'd defer to >> > someone like Donald to comment on the security aspects of any proposal >> > here. >> >> Right now it doesn't create any additional vulnerabilities, since >> we're relying primarily on HTTPS for PyPI -> installer security. >> >> However, that changes once PEP 458 gets implemented, as that will >> switch the primary package level security mechanism over to TUF, which >> includes a range of mechanisms designed to detect tampering with the >> link to PyPI (including freeze attacks that keep you from checking for >> new packages, or attempting to lie about which versions are >> available). >> >> So the scenario we want to avoid is one where an attacker can present >> a notice that says "Please ignore that scary security warning your >> installer is giving you, we're having an issue with the metadata >> generation process on the server. To resolve the problem, please force >> upgrade pip". >> >> That's a solvable problem (e.g. only check for the MOTD *after* >> successfully retrieving a valid metadata file), but it's still >> something to take into account. >> >> Cheers, >> Nick. >> >> -- >> Nick Coghlan | ncogh...@gmail.com | Brisbane, Australia >> _______________________________________________ >> Distutils-SIG maillist - Distutils-SIG@python.org >> https://mail.python.org/mailman/listinfo/distutils-sig >> > > _______________________________________________ > Distutils-SIG maillist - Distutils-SIG@python.org > https://mail.python.org/mailman/listinfo/distutils-sig > >
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig