search

mitogen-hq / mitogen

Distributed self-replicating programs in Python
https://mitogen.networkgenomics.com/
BSD 3-Clause "New" or "Revised" License
2.34k stars 199 forks source link

Sign PyPI releases #771

Open maltfield opened 3 years ago

maltfield commented 3 years ago

Describe the bug

When a user downloads this python module using pip, there is no cryptographic authenticity or integrity validation to protect the user from a MITM attack.

Therefore, this project is making any other projects that obtain the mitogen module via pip in their build process vulnerable to a watering hole attack.

Expected behavior

A developer should have a mechanism to cryptographically verify the integrity and authenticity of mitogen when obtaining it through pip.

To Reproduce

pip install mitogen

Additional context

Possible solutions include:

  1. Using the --sign argument of twine when uploading packages to PyPI

  2. Publishing a cryptographically signed document (ideally using gpg) listing the hashes for all packages uploaded to PyPI, which users can then pass into pip using the --hash argument

s1113950 commented 3 years ago

Tagging @dw on this ticket since he's the only one I know that can push Mitogen to PyPi.