[TriLUG] The sad state of sysadmin in the age of containers

[Igor Partola via TriLUG]

Well, I certainly care. And with PyPI you are already able to and
encouraged to sign your releases. I understand what you are saying
regarding depths or layers of security: we should have HTTPS, package
signing, and independent code reviews. Two of these three thing are already
available and easy, and are a best practice. There is no reason to not sign
your releases or not use HTTPS. The third is incredibly hard and not widely
available.

WoT does not actually protect the code itself. It simply says "developer
@haxor signed this release." Let's say I am @haxor and you know me
personally and have verified my identity directly. You know for a fact that
this code comes from me. Now, how do you know the NSA didn't compel me to
put in a backdoor? Or that they did not compromise my workstation to insert
a backdoor into every piece of code I release, right before I upload it to
PyPI? The only way to verify that is for security researchers to pore over
every piece of code released on PyPI, NPM, etc. and that's just not
feasible because there aren't enough security researchers. All this means
is that the last mile of code security and security guarantees is an
incredibly hard resource allocation problem, which cannot be solved with
release signing.

Igor

P.S.: pip executing arbitrary code is bad. Of course dpkg can do the same,
and so can rpm. All include ability to run arbitrary code in the form of
pre and post install/remove scripts inside the package, and all can be fed
packages that come from anywhere, including unsigned repositories. pip is
really the analog of apt + dpkg: it downloads packages, and installs them.
apt is by default configured to only look at distro repos, but does not
have to, and can easily be bypassed.