No Signing of Packages

[dstufft]

There is no real and useful signing of packages. It would be great to have this to ensure download and upload integrity.

This is likely going to be solved with the possible introduction of TUF at a future point in time.

[daenney]

Considering the Rubygems hack of early this year and the attack on Python's wiki infrastructure I'm not sure we can afford to wait for 'a future point in time'.

The seemingly standard way of doing this is to provide a GPG signed checksums file containing a hash of every file in the package. The issue usually is that not everyone verifies those because GPG can be a wee bit confusing to people and there's no guarantee the developer actually securely manages and stores his GPG key.

[ncoghlan]

By "a future point in time", Donald actually means "the researchers behind The Update Framework are actively working on a solution that will actually be used, unlike GPG signing which is technically already supported, but nobody actually uses due to the key management problem".

TUF website: http://www.updateframework.com/projects/project Mailing list: https://groups.google.com/forum/?fromgroups#!forum/theupdateframework

The Rubygems compromise was indeed a wake-up call that finally silenced a lot of people that had been objecting to attempts at hardening the distribution ecosystem as not worth the effort, and many security improvements have been made since then. The challenge the TUF folks are tackling is making it possible to survive a compromise of PyPI (at least for higher profile packages) without substantially raising the barrier to entry for new users distributing their first packages.

[ncoghlan]

Oh, nice, according to Trishank's latest update to the TUF list, the first public draft of their PEP should be published any day now: https://groups.google.com/forum/?fromgroups#!topic/theupdateframework/clYqvu8KzZ8

[daenney]

My apologies, when people say things like 'a future point in time' I've come to interpret that as "when pigs can fly".

[ncoghlan]

In this case, "after Python 3.4 and pip 1.5" is the main meaning (we had to scale several things back to focus on what was needed to meet the Python 3.4 deadlines for PEP 453).

[alex]

Existing gpg signatures which are uploaded aren't actually verified right? It'd be nice if that was an option.

[brainwane]

Here's the basic current state of things regarding PyPI and GPG signing of packages, at least as of a few months ago: https://github.com/travis-ci/dpl/issues/727#issuecomment-359203157

[brainwane]

Another summary of the current status of things is in https://lwn.net/SubscriberLink/751458/81b2759e7025d6b9/ .

[brainwane]

Package signing on PyPI will be part of Warehouse security work funded by a gift from Facebook that the Warehouse team will start working on later in 2019. The work includes "Cryptographic signing and verification of artifacts (PEP 458/TUF or similar)" and additional features (milestone).

https://github.com/pypa/warehouse/issues/5247 has more detail on the current discussion around TUF.