distribute_setup.py should be signed by a trusted party, and/or served over HTTPS

Create issue
Issue #374 wontfix
Damien Diederen created an issue

The following blog post:


invites users to install distribute via the following steps:

$ curl -O http://python-distribute.org/distribute_setup.py
$ less distribute_setup.py  # (*)
$ sudo /opt/Python2.7.4-32bits/bin/python2.7 distribute_setup.py

This suffers from the shortcomings mentioned in issue #354. I tried using HTTPS instead:

$ curl -O https://python-distribute.org/distribute_setup.py

but that results in a cryptic error instead of a successful download.

There is currently no way for a user to assess that the code she is about to execute has not been modified by a third party.

Could you either:

  • Make distribute_setup.py accessible via HTTPS on a trusted website, and update the recommended instructions;

  • Put a page up at e.g. http://python-distribute.org/index.html containing signatures next to the download link, as is being done for each Python release (e.g. http://www.python.org/getit/releases/3.3.1/).


(Feel free to merge with #354, but I'm opening this one as a critical bug to make sure it does not go unnoticed.)

Comments (6)

  1. cbensf

    The second option (index.html with signatures) only improves things if the new page is served via https. Besides, the whole point of distribute_setup.py is letting people blindly run a very simple command; very few would notice it's http, find the associated page and verify a signature.

  2. Damien Diederen reporter

    Hi cbensf,

    I may be misunderstanding your answer, but signatures do not have to be served over a secure channel, as they rely on the OpenPGP Web of Trust to guarantee integrity and authenticity.

    As for the whole point of distribute: I cannot in good conscience tell a customer to "blindly run" that command, as it's trivially easy to substitute its payload with arbitrary code—especially over unsecured Wi-Fi networks. HTTPS would greatly reduce that vector of attack.

    (Note that telling a customer to verify a PGP signature is fine, as it becomes their responsibility if they willingly ignore my advice.)

    Cheers, -D

  3. jaseg

    At least for the stuff distribute_setup.py downloads, it would be trivial to do proper verification by putting a public key into distribute_setup.py.

    Of course, distribute_setup.py must be served via https. If you are having trouble setting that up on python-distribute.org, in the meantime perhaps consider just using (and trusting) bitbucket.org which as of now does have working HTTPS.

  4. Jason R. Coombs

    This issue is being addressed for Setuptools (which supersedes Distribute) by (a) using HTTPS links in Bitbucket, updated by bookmarks to point to the latest stable version and (b) using system web downloads (curl, wget, powershell) to validate the HTTPS certificate using PKI. The latter will be available with the release of Setuptools 1.0 (imminent).

    python-distribute.org is no longer being maintained and will probably not get HTTPS. The scripts remain there for backward compatibility, but new users are encouraged to install Setuptools according to the instructions on the PyPI page.

  5. Log in to comment