PEP 458: Add abstract per discussion here: https://discuss.python.org/t/pep-458-surviving-a-compromise-of-pypi/2648/52 (#1268)
This commit is contained in:
parent
99dd06f78e
commit
c6fa90376e
47
pep-0458.txt
47
pep-0458.txt
|
@ -22,6 +22,53 @@ Created: 27-Sep-2013
|
|||
Abstract
|
||||
========
|
||||
|
||||
Attacks on software repositories are common, even in organizations with very
|
||||
good security practices__. The resulting repository compromise allows an
|
||||
attacker to edit all files stored on the repository and sign these files using
|
||||
any keys stored on the repository (online keys). In many signing schemes (like
|
||||
TLS), this access allows the attacker to replace files on the repository and
|
||||
make it look like these files are coming from PyPI. Without a way to revoke and
|
||||
replace the trusted private key, it is very challenging to recover from a
|
||||
repository compromise. In addition to the dangers of repository compromise,
|
||||
software repositories are vulnerable to an attacker on the network (MITM)
|
||||
intercepting and changing files. These and other attacks on software
|
||||
repositories are detailed here__. This PEP aims to protect users of PyPI from
|
||||
compromises of the integrity, consistency and freshness properties of PyPI
|
||||
packages, and enhances compromise resilience, by mitigating key risk and
|
||||
providing mechanisms to recover from a compromise of PyPI or its signing keys.
|
||||
In addition to protecting direct users of PyPI, this PEP aims to provide similar
|
||||
protection for users of PyPI mirrors.
|
||||
|
||||
To provide compromise resilient protection of PyPI, this PEP proposes the use of
|
||||
The Update Framework [2]_ (TUF). TUF provides protection from a variety of
|
||||
attacks on software update systems, while also providing mechanisms to recover
|
||||
from a repository compromise. TUF has been used in production by a number of
|
||||
organizations, including use in Cloud Native Computing Foundation’s Notary
|
||||
service, which provides the infrastructure for container image signing in Docker
|
||||
Registry. The TUF specification has been the subject of three independent
|
||||
security audits__.
|
||||
|
||||
This PEP describes changes to the PyPI infrastructure that are needed to ensure
|
||||
that users get valid packages from PyPI. These changes should have minimal
|
||||
impact on other parts of the ecosystem. The PEP focuses on communication between
|
||||
PyPI and users, and so does not require any action by package developers.
|
||||
Developers will upload packages using the current process, and PyPI will
|
||||
automatically sign these packages. In order for the security mechanism to be
|
||||
effective, additional work will need to be done by PyPI consumers (like pip) to
|
||||
verify the signatures and metadata provided by PyPI. This verification can be
|
||||
transparent to users (unless it fails) and provides an automatic security
|
||||
mechanism. There is documentation for how to consume TUF metadata in the TUF
|
||||
repository. However, changes to PyPI consumers are not required, and can be done
|
||||
according to the timelines and priorities of individual projects.
|
||||
|
||||
__ https://github.com/theupdateframework/pip/wiki/Attacks-on-software-repositories
|
||||
__ https://theupdateframework.github.io/security.html
|
||||
__ https://theupdateframework.github.io/audits.html
|
||||
|
||||
|
||||
Proposed TUF Integration
|
||||
========================
|
||||
|
||||
This PEP proposes how The Update Framework [2]_ (TUF) should be integrated with the
|
||||
Python Package Index (PyPI [1]_). TUF was designed to be a flexible
|
||||
security add-on to a software updater or package manager. The framework
|
||||
|
|
Loading…
Reference in New Issue