pypi and pip security
Steps to secure
* Package upload to the central pypi repository
* How is the uploader authenticated?
* Are packages uploaded using a secure connection? HTTPS, SSH?
Is it used at all times?
* How privileged is the user after authentication? Which
packages one can modify?
* Downloading the package and its dependencies
* Sums verification of the package and its dependencies
* Only MD5 sums available
* Where one can get sums from?
* package descriptions (human-readable) -- special suffixes
in links (``#md5=``)
* pip (version: Debian 1.1-3) ignores this suffix
despite being mentioned in the documentation _,
* this method doesn't provide sums checking for
* in the repository's subdirectory ``/simple``.
* Authenticating sums _ from the ``/simple`` subdirectory of
* ``/simple``, ``/serversig``, ``serverkey``
* ``serverkey`` fetched via HTTPS using a well-known CA
* Lack of OpenPGP signatures on packages and no method to verify
Execute following commands:
wget -O netaddress-simple http://d.pypi.python.org/simple/netaddress/
wget -O netaddress-serversig http://d.pypi.python.org/serversig/netaddress
openssl dgst -verify serverkey -signature netaddress-serversig netaddress-simple
At this point it is known if the sums list is authenticated by pypi. Now
one can start checking if the sum for the package matches the one on the
Trust in who the actual author of a package is depends solely on the
trust in authentication and authorization procedures of the pypi
The whole procedure (excluding ``serverkey`` download) has to be
repeated for every package.
Source code of ``verify.py`` -- a verification tool, is available in the
``tools`` subdirectory in the repositories _ i _.
An example of a verification shell script written by me (``verify.sh``)
is included in this repository.
..  http://www.pip-installer.org/en/latest/usage.html#package-checksum-hashes
..  http://www.python.org/dev/peps/pep-0381/
..  http://pyvideo.org/video/638/advanced-security-topics
..  http://davidfischer.name/2012/05/signing-and-verifying-python-packages-with-pgp/
..  https://github.com/pypa/pip/issues/425
..  https://github.com/pypa/pip/pull/402
..  http://superuser.com/questions/451772/do-pip-and-easy-install-download-python-packages-securely
..  https://www.updateframework.com/wiki/SecuringPythonPackageManagement
..  https://bitbucket.org/tarek/pypi/overview
..  https://bitbucket.org/loewis/pypi/overview
.. vi: ft=rst