←back to thread

PyPI now supports digital attestations

(blog.pypi.org)
218 points miketheman | 9 comments | 14 Nov 24 14:25 UTC | HN request time: 0s | source | bottom
Show context
amelius ◴[14 Nov 24 23:56 UTC] No.42142619[source]
I'm curious what would happen if a maintainer's PC is compromised. Is there any line of defense left at that point?
replies(2): >>42144542 #>>42144678 #
1. guappa ◴[15 Nov 24 07:03 UTC] No.42144542[source]
None.

Developer machine will have ssh keys and github tokens that can be used to push a commit on github, that will be built, signed, and uploaded on pypi.

replies(1): >>42145462 #
2. amelius ◴[15 Nov 24 10:06 UTC] No.42145462[source]
That sounds like a gigantic attack surface then ...
replies(1): >>42145580 #
3. guappa ◴[15 Nov 24 10:31 UTC] No.42145580[source]
I think since when they have 2FA PyPI is less secure.

Before I could learn my password and type it on twine. If my machine was stolen no upload on pypi was possible.

Now it's a token file on my disk so if my machine is stolen, then token can be used to publish.

Using github to publish doesn't change anything: if my machine is stolen the token needed to publish is still there, but instead of directly to pypi it will need to go via github first.

replies(1): >>42146501 #
4. amelius ◴[15 Nov 24 12:59 UTC] No.42146501{3}[source]
Tokens are a problem too (a yubikey might be a solution).

But an attacker could simply edit the source code on the maintainer's machine directly, and it could go unnoticed.

replies(2): >>42147003 #>>42183144 #
5. cpburns2009 ◴[15 Nov 24 14:01 UTC] No.42147003{4}[source]
I doubt Yubikey would help without some fancy setup. 2FA is required to sign into PyPI but that's it. When PyPI rolled it out I thought you'd have to use 2FA every time you publish. I thought they were taking security seriously. But no, you get your API token, save it to your computer, forget about it, and you can publish your packages forever. Now you can have Github automatically publish your packages. That's not any improvement to security. My Google security key is just collecting dust.
replies(2): >>42155786 #>>42183164 #
6. amelius ◴[16 Nov 24 10:59 UTC] No.42155786{5}[source]
I'm now thinking about a system that can enforce that any line of code committed to the Git repo has been on the user's screen for at least X seconds. It could be a system completely isolated from the computer on which code is entered (e.g. via the HDMI cable).
replies(1): >>42183187 #
7. guappa ◴[19 Nov 24 13:24 UTC] No.42183144{4}[source]
> Tokens are a problem too (a yubikey might be a solution).

Not the way they implement things. When they started forcing people to use 2FA, google also made a titan keys giveaway. But you set it up on your account, generate a token and that's it.

Identical situation on github. Setup 2FA with an hardware key, then generate a token and never use the hardware key ever again.

8. guappa ◴[19 Nov 24 13:26 UTC] No.42183164{5}[source]
Eh mine too. I got it because I had an essential package or whatever when they started forcing 2FA to people, and I thought twine would require me to authenticate with the key to be authorised to publish.

But they didn't touch twine at all. They just made me create a token and save it in a .txt file. That's it.

9. guappa ◴[19 Nov 24 13:29 UTC] No.42183187{6}[source]
How could you ever enforce that?