pypi-verification /

Filename Size Date modified Message
3.1 KB
2.9 KB
444 B
pypi and pip security

Steps to secure

    * Package upload to the central pypi repository

        * How is the uploader authenticated?
        * Are packages uploaded using a secure connection? HTTPS, SSH?  
          Is it used at all times?
        * How privileged is the user after authentication? Which 
          packages one can modify?

    * Downloading the package and its dependencies

        * Sums verification of the package and its dependencies
        * Only MD5 sums available
        * Where one can get sums from?
            * package descriptions (human-readable) -- special suffixes 
              in links (``#md5=``)

                * pip (version: Debian 1.1-3) ignores this suffix 
                  despite being mentioned in the documentation [1]_,
                * this method doesn't provide sums checking for 
            * in the repository's subdirectory ``/simple``.

        * Authenticating sums [2]_ from the ``/simple`` subdirectory of 
          a mirror

            * ``/simple``, ``/serversig``, ``serverkey``
            * ``serverkey`` fetched via HTTPS using a well-known CA 

    * Lack of OpenPGP signatures on packages and no method to verify 
      them automatically


Execute following commands:

        wget -O netaddress-simple
        wget -O netaddress-serversig
        openssl dgst -verify serverkey -signature netaddress-serversig netaddress-simple

At this point it is known if the sums list is authenticated by pypi. Now 
one can start checking if the sum for the package matches the one on the 
list (``netaddress-simple``).

Trust in who the actual author of a package is depends solely on the 
trust in authentication and authorization procedures of the pypi 

The whole procedure (excluding ``serverkey`` download) has to be 
repeated for every package.

Source code of ```` -- a verification tool, is available in the 
``tools`` subdirectory in the repositories [9]_ i [10]_.

An example of a verification shell script written by me (````) 
is included in this repository.

.. [1]
.. [2]

.. [3]
.. [4]
.. [5]
.. [6]
.. [7]
.. [8]

.. [9]
.. [10]

.. vi: ft=rst