[TriLUG] The sad state of sysadmin in the age of containers

Sean Alexandre via TriLUG trilug at trilug.org
Fri Mar 13 15:41:47 EDT 2015 

On Fri, Mar 13, 2015 at 02:33:27PM -0400, Igor Partola wrote:
> > Signing and rolling releases aren't mutually exclusive. It's perfectly
> > reasonable to expect an upstream developer to sign releases with each new
> > version. This isn't difficult, and not hard for a downstream packager to
> check.
> 
> The first part of this paragraphs is correct: it costs me nothing, as a
> developer to sign my releases. The second part implies that there is a
> downstream author. Debian stable includes Roughly 48,500 packages. That's a
> lot. But look at http://www.modulecounts.com/. The NodeJS packages via npm
> include nearly 3 times as many at just under 140,000. PyPI includes over
> 55,000. Many of these are useful, yet little known. Not every one of these
> has a trusted "downstream" maintainer who is also widely trusted by the
> community. In other words, it's a question of resources: there aren't
> enough maintainers for all these packages. Thus, the signature on the
> package tells you nothing since anybody can create a PGP keypair and sign a
> package.

I understand what you're saying, and agree it's a problem. It's one of the
reasons I don't use Python as much as I would. I mostly stick to what comes
packaged with Debian (not to say that's perfect either, just safer.)

I like you're HTTPS/HTTP/CA argument -- that PyPI get HTTPS support working
first, and then figure out the CA and/or web-of-trust problem. This to me is
another example of "defense in depth", and is a layer defense. Even just one
layer raises the bar for what it takes to deploy an exploit.

I think the same thing could be done with package singing. Add layers of
defense over time. One important layer would be for packagers to sign their
releases. The next steps aren't as easy, but definitely doable. Build up
a web-of-trust with PGP. It doesn't have to be a perfect WoT either. Every link
makes it stronger. It can grow over time. 

I try to follow what's going on with Python, with this. This seems to be some
of the latest on where things stand:

pip should not execute arbitrary code from the Internet
https://github.com/pypa/pip/issues/425

I don't follow it as closely as I'd like, though. I'd like to here of more, or
of some official position if there is one.

So not an easy problem to solve, but solvable, and important to solve.

Do enough people care?

More information about the TriLUG mailing list