Richard Jones | 2 Jan 08:13 2009
Picon

Application downloads hosted by PyPI?

When I initially implemented PyPI file hosting it was specifically designed to 
only handle files generated by distutils.

I'm now in a position where I'd personally like to upload a application (well, 
a zip file of an application) to the index. I've solved the problem of 
generating the application distribution files* but to get it to upload I had 
to tell PyPI that it was an sdist, and include a PKG-INFO file (to pass the 
basic test I put in place to make sure that sdist files being uploaded really 
were sdist files).

Clearly this is not optimal as the file is not really an sdist ;)

I couldn't upload it as a "bdist" because PyPI understands that binary 
distributions are Python-version-specific. My application distribution is not 
version specific.

What do people think about adding a new file type allowed for upload of 
"application" or similar?

    Richard

* see my blog entry for more information:
http://www.mechanicalcat.net/richard/log/Python/Sane_Python_application_packaging__initial_solution
Jesus Cea | 5 Jan 18:03 2009
Picon

Replication and security


Currently setuptools allows to upload a PGP signature along the package,
to be able to check integrity and security. As far as I know, currently
 "easy_install" doesn't check it. That is bad, but life sucks.

My problem now is with mirrors: How can anybody to validate files?.
Beside the possible PGP signatures of authors (a check that should be
integrated in "easy_install"), I would like PYPI main server (I guess it
would be the single point where people upload new packages; the mirrors
would be read-only) to digitally sign each uploaded package. This way,
easy_install can check any package downloaded from any mirror, because
PYPI public key would be a well known value.

I have code in python to digitally sign/verify signatures using ElGamal
algorithm. Any interest?

--
Jesus Cea Avion                         _/_/      _/_/_/        _/_/_/
jcea <at> jcea.es - http://www.jcea.es/     _/_/    _/_/  _/_/    _/_/  _/_/
jabber / xmpp:jcea <at> jabber.org         _/_/    _/_/          _/_/_/_/_/
.                              _/_/  _/_/    _/_/          _/_/  _/_/
"Things are not so easy"      _/_/  _/_/    _/_/  _/_/    _/_/  _/_/
"My name is Dump, Core Dump"   _/_/_/        _/_/_/      _/_/  _/_/
"El amor es poner tu felicidad en la felicidad de otro" - Leibniz
"Martin v. Löwis" | 5 Jan 18:42 2009
Picon

Re: Replication and security

> I have code in python to digitally sign/verify signatures using ElGamal
> algorithm. Any interest?

I rather prefer standard PGP signatures (with whatever signature
algorithm the server key uses).

Regards,
Martin
Jesus Cea | 5 Jan 18:56 2009
Picon

Re: Replication and security


Martin v. Löwis wrote:
>> I have code in python to digitally sign/verify signatures using ElGamal
>> algorithm. Any interest?
> 
> I rather prefer standard PGP signatures (with whatever signature
> algorithm the server key uses).

Me too, but then you requires an OpenPGP implementation in Python or a
pgp/gpg program around, correctly configured, with the PYPI public key
installed, etc.

Instead, ElGamal signatures are verified in 12 lines of 100% python code.

I am talking about checking that a package actually comes from PyPI, not
the PGP author signature. This is important if anybody can deploy a
mirror... At least "easy_install" can automatically verify that the
downloaded package, from a mirror, was originated in the main PYPI
server and it was not modified in any way.

--
Jesus Cea Avion                         _/_/      _/_/_/        _/_/_/
jcea <at> jcea.es - http://www.jcea.es/     _/_/    _/_/  _/_/    _/_/  _/_/
jabber / xmpp:jcea <at> jabber.org         _/_/    _/_/          _/_/_/_/_/
.                              _/_/  _/_/    _/_/          _/_/  _/_/
"Things are not so easy"      _/_/  _/_/    _/_/  _/_/    _/_/  _/_/
"My name is Dump, Core Dump"   _/_/_/        _/_/_/      _/_/  _/_/
"El amor es poner tu felicidad en la felicidad de otro" - Leibniz
Tarek Ziadé | 9 Jan 17:24 2009
Picon

Re: [distutils] make the storage of the password optional in .pypirc

On Fri, Jan 9, 2009 at 4:45 PM, Marius Gedminas <marius <at> pov.lt> wrote:
> On Fri, Jan 09, 2009 at 10:17:50AM -0500, Benji York wrote:
>> On Fri, Jan 9, 2009 at 10:08 AM, Stephen Emslie <stephenemslie <at> gmail.com> wrote:
>> > A bit OT, but from your blog post on the subject:
>> >
>> >>I'd like to go further and to think about a ssh-agent like system, so there's no need
>> >>to enter the pasword everytime you work with PyPI in the same session.
>> >
>> > Have you had any feedback on this yet?
>>
>> Here's some:  how about instead of an ssh-like system, use ssh itself.  Front
>> PyPI with an ssh server that users connect to.  That way it is both secure and
>> the infrastructure (agent, etc.) is already in place.
>
> Yes please.  I'd rather have one agent running and reuse my SSH key for
> authentication.

That would be awesome indeed. But that would involve quite some
changes on server side,
I'll forward this mail to catalog-sig for Richard, Martin and others's feedback

Regards
Tarek

--

-- 
Tarek Ziadé | Association AfPy | www.afpy.org
Blog FR | http://programmation-python.org
Blog EN | http://tarekziade.wordpress.com/
_______________________________________________
Distutils-SIG maillist  -  Distutils-SIG <at> python.org
(Continue reading)

"Martin v. Löwis" | 9 Jan 21:18 2009
Picon

Re: [Catalog-sig] [distutils] make the storage of the password optional in .pypirc

>>> Here's some:  how about instead of an ssh-like system, use ssh itself.  Front
>>> PyPI with an ssh server that users connect to.  That way it is both secure and
>>> the infrastructure (agent, etc.) is already in place.
>> Yes please.  I'd rather have one agent running and reuse my SSH key for
>> authentication.
> 
> That would be awesome indeed. But that would involve quite some
> changes on server side,
> I'll forward this mail to catalog-sig for Richard, Martin and others's feedback

I'm fairly skeptical. First, the infrastructure is *not* yet in place.
Nobody has uploaded SSH keys to PyPI, and in order to allow SSH access,
we probably would need to create a Unix account, which then runs a fixed
(Python) program on ssh login. That is much less secure than the current
setup, in the sense that this program can probably tricked much easier
than Apache can. So it opens a door for people hacking into the system;
all they have to do is to create a fake PyPI account and upload an SSH
key...

To improve password storage, I think it would be better to use the
platform's secure password storage services where available (e.g.
OSX Keychain, KDE KWallet, etc). Of course, such a library should be
developed independently of distutils. For Keychain, there is already

http://muffinresearch.co.uk/archives/2008/02/05/python-keychainpy-access-to-the-mac-osx-keychain/

Regards,
Martin

_______________________________________________
(Continue reading)

Jim Fulton | 9 Jan 21:57 2009

Re: [Catalog-sig] [distutils] make the storage of the password optional in .pypirc


On Jan 9, 2009, at 3:18 PM, Martin v. Löwis wrote:

>>>> Here's some:  how about instead of an ssh-like system, use ssh  
>>>> itself.  Front
>>>> PyPI with an ssh server that users connect to.  That way it is  
>>>> both secure and
>>>> the infrastructure (agent, etc.) is already in place.
>>> Yes please.  I'd rather have one agent running and reuse my SSH  
>>> key for
>>> authentication.
>>
>> That would be awesome indeed. But that would involve quite some
>> changes on server side,
>> I'll forward this mail to catalog-sig for Richard, Martin and  
>> others's feedback
>
> I'm fairly skeptical. First, the infrastructure is *not* yet in place.
> Nobody has uploaded SSH keys to PyPI,

Right. PyPI would have to grow the ability to manage public keys for  
users.

> and in order to allow SSH access,
> we probably would need to create a Unix account,

No, you would not.

> which then runs a fixed
> (Python) program on ssh login. That is much less secure than the  
(Continue reading)

"Martin v. Löwis" | 9 Jan 22:03 2009
Picon

Re: [Catalog-sig] [distutils] make the storage of the password optional in .pypirc

> No. You'd have a new server process, written in Python using Twisted or
> paramiko,  that would would provide a small number of specialized
> commands and that would read public keys from the pypi database for
> authentication and update the database in response to commands,

Ok. I guess "contributions are welcome".

Regards,
Martin
_______________________________________________
Distutils-SIG maillist  -  Distutils-SIG <at> python.org
http://mail.python.org/mailman/listinfo/distutils-sig

Jim Fulton | 9 Jan 22:02 2009

Re: [Catalog-sig] [distutils] make the storage of the password optional in .pypirc


On Jan 9, 2009, at 3:57 PM, Jim Fulton wrote:
> No. You'd have a new server process, written in Python using Twisted  
> or paramiko,  that would would provide a small number of specialized  
> commands

Or better yet, supported scp.  Then the upload/register process would  
be reduced to just scp-ing a distro to pypi.  The server could read  
meta-data from the distro, register the release, if necessary, and put  
the distro in the right place.

Jim

--
Jim Fulton
Zope Corporation

_______________________________________________
Distutils-SIG maillist  -  Distutils-SIG <at> python.org
http://mail.python.org/mailman/listinfo/distutils-sig

"Martin v. Löwis" | 9 Jan 22:07 2009
Picon

Re: [Distutils] [distutils] make the storage of the password optional in .pypirc

> Or better yet, supported scp.  Then the upload/register process would be
> reduced to just scp-ing a distro to pypi.  The server could read
> meta-data from the distro, register the release, if necessary, and put
> the distro in the right place.

That wouldn't fit too well with the existing "register" and "upload"
commands, I think.

Regards,
Martin

Gmane