I'm using the Python Package Manager (PyPi) since a very long time and I couldn't help but notice that package signing feature isn't there at all (According to this reddit thread, it used to be there many years ago but they removed it sometime back for some unknown reasons).
That means, if I install some package by running pip install xyz
, there is no way for me to ensure whether its the same one uploaded by the author of that package. Which means that if the PyPI server got compromised any time in the future, millions of users could be affected because of this, not just one or two.
I've authored and published several packages on PyPi myself and hence, this makes me concerned. There is no way to upload the GPG signature file of my package anywhere, nor does pip
check the GPG signatures. So the user who installs my package has no way of knowing that it was me who uploaded it there.
This is a serious security concern and I hope the Python team comes up with some kind of solution soon.
Top comments (11)
From the Reddit discussion it seems PGP is highly flawed. Using TUF would be much better but it's quite hard to implement. So they are just forgoing the whole thing since they don't have the time and resources to work on such features.
There is no flaw in PGP, many other highly used projects like Debian and Ubuntu sign their packages using PGP. It seems, they (Python team) just don't want to be hassled with storing so many authors' PGP public keys and managing them like debian/ubuntu does! However, this feature can be made optional, so that only those who want to sign will upload their keys.
Besides, if they don't like PGP then they should come up with some other solution. Just postponing such a critical security issue isn't a good thing.
There are flaws. Read . There are other discussions online.
There are PEPs with proposals to fix the problem but they haven't been approved. Till then, developer vigilance is required.
If youβre concerned about this, then I would open an issue and maybe even propose a design to the
pip
community. Posting here isnβt actionable in any way. Bringing it up with thepip
maintainers is.Sure, you can open an issue but I doubt it'll be much helpful after reading this reddit thread. It seems they've deliberately chosen to not have package signing which seems beyond logic to me!
I know posting here isn't much actionable, consider this as just another rant!
You are quite right. I think the proper choice is github.com/JonathanLogan/codechain
There are certain interests out there that want to influence standards bodies to keep things as insecure as possible. It's not a conspiracy, it's reality.
From one of the original maintainers of
pip
: caremad.io/posts/2013/07/packaging...Well, maybe a distributed Pypi (on IPFS) would help solve this problem: github.com/ipfs/notes/issues/28
Some comments may only be visible to logged-in visitors. Sign in to view all comments.