Overview

pypi and pip security
=====================

Steps to secure
---------------

    * Package upload to the central pypi repository

        * How is the uploader authenticated?
        * Are packages uploaded using a secure connection? HTTPS, SSH?  
          Is it used at all times?
        * How privileged is the user after authentication? Which 
          packages one can modify?

    * Downloading the package and its dependencies

        * Sums verification of the package and its dependencies
        * Only MD5 sums available
        * Where one can get sums from?
            * package descriptions (human-readable) -- special suffixes 
              in links (``#md5=``)

                * pip (version: Debian 1.1-3) ignores this suffix 
                  despite being mentioned in the documentation [1]_,
                * this method doesn't provide sums checking for 
                  dependencies.
            * in the repository's subdirectory ``/simple``.

        * Authenticating sums [2]_ from the ``/simple`` subdirectory of 
          a mirror

            * ``/simple``, ``/serversig``, ``serverkey``
            * ``serverkey`` fetched via HTTPS using a well-known CA 

    * Lack of OpenPGP signatures on packages and no method to verify 
      them automatically

Example
-------

Execute following commands:

    ::
        
        wget https://pypi.python.org/serverkey
        wget -O netaddress-simple http://d.pypi.python.org/simple/netaddress/
        wget -O netaddress-serversig http://d.pypi.python.org/serversig/netaddress
        openssl dgst -verify serverkey -signature netaddress-serversig netaddress-simple

At this point it is known if the sums list is authenticated by pypi. Now 
one can start checking if the sum for the package matches the one on the 
list (``netaddress-simple``).

Trust in who the actual author of a package is depends solely on the 
trust in authentication and authorization procedures of the pypi 
service.

The whole procedure (excluding ``serverkey`` download) has to be 
repeated for every package.

Source code of ``verify.py`` -- a verification tool, is available in the 
``tools`` subdirectory in the repositories [9]_ i [10]_.

An example of a verification shell script written by me (``verify.sh``) 
is included in this repository.



.. [1] http://www.pip-installer.org/en/latest/usage.html#package-checksum-hashes
.. [2] http://www.python.org/dev/peps/pep-0381/

.. [3] http://pyvideo.org/video/638/advanced-security-topics
.. [4] http://davidfischer.name/2012/05/signing-and-verifying-python-packages-with-pgp/
.. [5] https://github.com/pypa/pip/issues/425
.. [6] https://github.com/pypa/pip/pull/402
.. [7] http://superuser.com/questions/451772/do-pip-and-easy-install-download-python-packages-securely
.. [8] https://www.updateframework.com/wiki/SecuringPythonPackageManagement

.. [9]  https://bitbucket.org/tarek/pypi/overview
.. [10] https://bitbucket.org/loewis/pypi/overview

.. vi: ft=rst