Updates and figures for PEP 458 and PEP 480 by Vladimir Diaz.
This commit is contained in:
parent
6d5a4c3330
commit
70ca01847a
58
pep-0458.txt
58
pep-0458.txt
|
@ -3,7 +3,7 @@ Title: Surviving a Compromise of PyPI
|
||||||
Version: $Revision$
|
Version: $Revision$
|
||||||
Last-Modified: $Date$
|
Last-Modified: $Date$
|
||||||
Author: Trishank Karthik Kuppusamy <trishank@nyu.edu>,
|
Author: Trishank Karthik Kuppusamy <trishank@nyu.edu>,
|
||||||
Vladimir Diaz <vd558@nyu.edu>,
|
Vladimir Diaz <vladimir.diaz@nyu.edu>,
|
||||||
Donald Stufft <donald@stufft.io>, Justin Cappos <jcappos@nyu.edu>
|
Donald Stufft <donald@stufft.io>, Justin Cappos <jcappos@nyu.edu>
|
||||||
BDFL-Delegate: Richard Jones <r1chardj0n3s@gmail.com>
|
BDFL-Delegate: Richard Jones <r1chardj0n3s@gmail.com>
|
||||||
Discussions-To: DistUtils mailing list <distutils-sig@python.org>
|
Discussions-To: DistUtils mailing list <distutils-sig@python.org>
|
||||||
|
@ -44,12 +44,11 @@ interested in adopting TUF on the client side may consult TUF's `library
|
||||||
documentation`__, which exists for this purpose. Support for project
|
documentation`__, which exists for this purpose. Support for project
|
||||||
distributions that are signed by developers (maximum security model) is also
|
distributions that are signed by developers (maximum security model) is also
|
||||||
not discussed in this PEP, but is outlined in the appendix as a possible future
|
not discussed in this PEP, but is outlined in the appendix as a possible future
|
||||||
extension and covered in detail in PEP X [VD: Link to PEP once it is
|
extension and covered in detail in PEP 480 [26]_. The PEP 480 extension
|
||||||
completed]. The PEP X extension focuses on the maximum security model, which
|
focuses on the maximum security model, which requires more PyPI administrative
|
||||||
requires more PyPI administrative work (none by clients), but it also proposes
|
work (none by clients), but it also proposes an easy-to-use key management
|
||||||
an easy-to-use key management solution for developers, how to interface with a
|
solution for developers, how to interface with a potential future build farm on
|
||||||
potential future build farm on PyPI infrastructure, and discusses the
|
PyPI infrastructure, and discusses the feasibility of end-to-end signing.
|
||||||
feasibility of end-to-end signing.
|
|
||||||
|
|
||||||
__ https://github.com/theupdateframework/tuf/tree/develop/tuf/client#updaterpy
|
__ https://github.com/theupdateframework/tuf/tree/develop/tuf/client#updaterpy
|
||||||
|
|
||||||
|
@ -164,9 +163,8 @@ Terms used in this PEP are defined as follows:
|
||||||
* Metadata: Metadata are signed files that describe roles, other metadata, and
|
* Metadata: Metadata are signed files that describe roles, other metadata, and
|
||||||
target files.
|
target files.
|
||||||
|
|
||||||
* Repository: A repository is a resource compromised of named metadata and
|
* Repository: A repository is a resource comprised of named metadata and target
|
||||||
target files. Clients request metadata and target files stored on a
|
files. Clients request metadata and target files stored on a repository.
|
||||||
repository.
|
|
||||||
|
|
||||||
* Consistent snapshot: A set of TUF metadata and PyPI targets that capture the
|
* Consistent snapshot: A set of TUF metadata and PyPI targets that capture the
|
||||||
complete state of all projects on PyPI as they existed at some fixed point in
|
complete state of all projects on PyPI as they existed at some fixed point in
|
||||||
|
@ -302,7 +300,7 @@ available target files (in our case, it will be all files on PyPI under the
|
||||||
responsibilities without exception. Figure 1 provides a table of the roles
|
responsibilities without exception. Figure 1 provides a table of the roles
|
||||||
used in TUF.
|
used in TUF.
|
||||||
|
|
||||||
.. image:: figure1.png
|
.. image:: pep-0458/figure1.png
|
||||||
|
|
||||||
Figure 1: An overview of the TUF roles.
|
Figure 1: An overview of the TUF roles.
|
||||||
|
|
||||||
|
@ -322,7 +320,7 @@ also indicates the types of keys used to sign each role and which roles are
|
||||||
trusted to sign for files available on PyPI. The next two sections cover the
|
trusted to sign for files available on PyPI. The next two sections cover the
|
||||||
details of signing repository files and the types of keys used for each role.
|
details of signing repository files and the types of keys used for each role.
|
||||||
|
|
||||||
.. image:: figure2.png
|
.. image:: pep-0458/figure2.png
|
||||||
|
|
||||||
Figure 2: An overview of the role metadata available on PyPI.
|
Figure 2: An overview of the role metadata available on PyPI.
|
||||||
|
|
||||||
|
@ -743,10 +741,9 @@ attack other than a freeze attack, one must also compromise the *snapshot* key.
|
||||||
|
|
||||||
Finally, a compromise of the PyPI infrastructure MAY introduce malicious
|
Finally, a compromise of the PyPI infrastructure MAY introduce malicious
|
||||||
updates to *bins* projects because the keys for these roles are online. The
|
updates to *bins* projects because the keys for these roles are online. The
|
||||||
maximum security model discussed in the appendix addresses this issue. PEP X
|
maximum security model discussed in the appendix addresses this issue. PEP 480
|
||||||
[VD: Link to PEP once it is completed] also covers the maximum security model
|
also covers the maximum security model and goes into more detail on generating
|
||||||
and goes into more detail on generating developer keys and signing uploaded
|
developer keys and signing uploaded distributions.
|
||||||
distributions.
|
|
||||||
|
|
||||||
|
|
||||||
In the Event of a Key Compromise
|
In the Event of a Key Compromise
|
||||||
|
@ -908,10 +905,10 @@ The maximum security model and end-to-end signing have been intentionally
|
||||||
excluded from this PEP. Although both improve PyPI's ability to survive a
|
excluded from this PEP. Although both improve PyPI's ability to survive a
|
||||||
repository compromise and allow developers to sign their distributions, they
|
repository compromise and allow developers to sign their distributions, they
|
||||||
have been postponed for review as a potential future extension to PEP 458. PEP
|
have been postponed for review as a potential future extension to PEP 458. PEP
|
||||||
X [VD: Link to PEP once it is completed], which discusses the extension in
|
480 [26]_, which discusses the extension in detail, is available for review to
|
||||||
detail, is available for review to those developers interested in the
|
those developers interested in the end-to-end signing option. The maximum
|
||||||
end-to-end signing option. The maximum security model and end-to-end signing
|
security model and end-to-end signing are briefly covered in subsections that
|
||||||
are briefly covered in subsections that follow.
|
follow.
|
||||||
|
|
||||||
There are several reasons for not initially supporting the features discussed
|
There are several reasons for not initially supporting the features discussed
|
||||||
in this section:
|
in this section:
|
||||||
|
@ -960,7 +957,7 @@ all of the projects are signed by an online key. An attacker can corrupt
|
||||||
packages in the minimum security model, but not in the maximum model without
|
packages in the minimum security model, but not in the maximum model without
|
||||||
also compromising a developer's key.
|
also compromising a developer's key.
|
||||||
|
|
||||||
.. image:: figure3.png
|
.. image:: pep-0458/figure3.png
|
||||||
|
|
||||||
Figure 3: An overview of the metadata layout in the maximum security model.
|
Figure 3: An overview of the metadata layout in the maximum security model.
|
||||||
The maximum security model supports continuous delivery and survivable key
|
The maximum security model supports continuous delivery and survivable key
|
||||||
|
@ -975,15 +972,15 @@ downloaded by clients. PyPI is trusted to make uploaded projects available to
|
||||||
clients (they sign the metadata for this part of the process), and developers
|
clients (they sign the metadata for this part of the process), and developers
|
||||||
can sign the distributions that they upload.
|
can sign the distributions that they upload.
|
||||||
|
|
||||||
PEP X [VD: Link to PEP once it is completed] discusses the tools available to
|
PEP 480 [26]_ discusses the tools available to developers who sign the
|
||||||
developers who sign the distributions that they upload to PyPI. To summarize
|
distributions that they upload to PyPI. To summarize PEP 480, developers
|
||||||
PEP X, developers generate cryptographic keys and sign metadata in some
|
generate cryptographic keys and sign metadata in some automated fashion, where
|
||||||
automated fashion, where the metadata includes the information required to
|
the metadata includes the information required to verify the authenticity of
|
||||||
verify the authenticity of the distribution. The metadata is then uploaded to
|
the distribution. The metadata is then uploaded to PyPI by the client, where
|
||||||
PyPI by the client, where it will be available for download by package managers
|
it will be available for download by package managers such as pip (i.e.,
|
||||||
such as pip (i.e., package managers that support TUF metadata). The entire
|
package managers that support TUF metadata). The entire process is transparent
|
||||||
process is transparent to clients (using a package manager that supports TUF)
|
to clients (using a package manager that supports TUF) who download
|
||||||
who download distributions from PyPI.
|
distributions from PyPI.
|
||||||
|
|
||||||
|
|
||||||
Appendix C: PEP 470 and Projects Hosted Externally
|
Appendix C: PEP 470 and Projects Hosted Externally
|
||||||
|
@ -1065,6 +1062,7 @@ References
|
||||||
.. [23] https://www.openssl.org/
|
.. [23] https://www.openssl.org/
|
||||||
.. [24] https://pypi.python.org/pypi/pycrypto
|
.. [24] https://pypi.python.org/pypi/pycrypto
|
||||||
.. [25] http://ed25519.cr.yp.to/
|
.. [25] http://ed25519.cr.yp.to/
|
||||||
|
.. [26] https://www.python.org/dev/peps/pep-0480/
|
||||||
|
|
||||||
Acknowledgements
|
Acknowledgements
|
||||||
================
|
================
|
||||||
|
|
Binary file not shown.
After Width: | Height: | Size: 93 KiB |
Binary file not shown.
After Width: | Height: | Size: 18 KiB |
Binary file not shown.
After Width: | Height: | Size: 31 KiB |
|
@ -3,7 +3,7 @@ Title: Surviving a Compromise of PyPI: The Maximum Security Model
|
||||||
Version: $Revision$
|
Version: $Revision$
|
||||||
Last-Modified: $Date$
|
Last-Modified: $Date$
|
||||||
Author: Trishank Karthik Kuppusamy <trishank@nyu.edu>,
|
Author: Trishank Karthik Kuppusamy <trishank@nyu.edu>,
|
||||||
Vladimir Diaz <vd558@nyu.edu>, Donald Stufft <donald@stufft.io>,
|
Vladimir Diaz <vladimir.diaz@nyu.edu>, Donald Stufft <donald@stufft.io>,
|
||||||
Justin Cappos <jcappos@nyu.edu>
|
Justin Cappos <jcappos@nyu.edu>
|
||||||
BDFL-Delegate: Richard Jones <r1chardj0n3s@gmail.com>
|
BDFL-Delegate: Richard Jones <r1chardj0n3s@gmail.com>
|
||||||
Discussions-To: DistUtils mailing list <distutils-sig@python.org>
|
Discussions-To: DistUtils mailing list <distutils-sig@python.org>
|
||||||
|
@ -186,7 +186,7 @@ projects are signed by an online key. That is, an attacker is able to corrupt
|
||||||
packages in the minimum security model, but not in the maximum model, without
|
packages in the minimum security model, but not in the maximum model, without
|
||||||
also compromising a developer's key.
|
also compromising a developer's key.
|
||||||
|
|
||||||
.. image:: figure1.png
|
.. image:: pep-0480/figure1.png
|
||||||
|
|
||||||
Figure 1: An overview of the metadata layout in the maximum security model.
|
Figure 1: An overview of the metadata layout in the maximum security model.
|
||||||
The maximum security model supports continuous delivery and survivable key
|
The maximum security model supports continuous delivery and survivable key
|
||||||
|
|
Binary file not shown.
After Width: | Height: | Size: 31 KiB |
Loading…
Reference in New Issue