←back to thread

218 points miketheman | 7 comments | | HN request time: 1.149s | source | bottom
Show context
amelius ◴[] No.42142619[source]
I'm curious what would happen if a maintainer's PC is compromised. Is there any line of defense left at that point?
replies(2): >>42144542 #>>42144678 #
guappa ◴[] No.42144542[source]
None.

Developer machine will have ssh keys and github tokens that can be used to push a commit on github, that will be built, signed, and uploaded on pypi.

replies(1): >>42145462 #
amelius ◴[] No.42145462[source]
That sounds like a gigantic attack surface then ...
replies(1): >>42145580 #
1. guappa ◴[] No.42145580[source]
I think since when they have 2FA PyPI is less secure.

Before I could learn my password and type it on twine. If my machine was stolen no upload on pypi was possible.

Now it's a token file on my disk so if my machine is stolen, then token can be used to publish.

Using github to publish doesn't change anything: if my machine is stolen the token needed to publish is still there, but instead of directly to pypi it will need to go via github first.

replies(1): >>42146501 #
2. amelius ◴[] No.42146501[source]
Tokens are a problem too (a yubikey might be a solution).

But an attacker could simply edit the source code on the maintainer's machine directly, and it could go unnoticed.

replies(2): >>42147003 #>>42183144 #
3. cpburns2009 ◴[] No.42147003[source]
I doubt Yubikey would help without some fancy setup. 2FA is required to sign into PyPI but that's it. When PyPI rolled it out I thought you'd have to use 2FA every time you publish. I thought they were taking security seriously. But no, you get your API token, save it to your computer, forget about it, and you can publish your packages forever. Now you can have Github automatically publish your packages. That's not any improvement to security. My Google security key is just collecting dust.
replies(2): >>42155786 #>>42183164 #
4. amelius ◴[] No.42155786{3}[source]
I'm now thinking about a system that can enforce that any line of code committed to the Git repo has been on the user's screen for at least X seconds. It could be a system completely isolated from the computer on which code is entered (e.g. via the HDMI cable).
replies(1): >>42183187 #
5. guappa ◴[] No.42183144[source]
> Tokens are a problem too (a yubikey might be a solution).

Not the way they implement things. When they started forcing people to use 2FA, google also made a titan keys giveaway. But you set it up on your account, generate a token and that's it.

Identical situation on github. Setup 2FA with an hardware key, then generate a token and never use the hardware key ever again.

6. guappa ◴[] No.42183164{3}[source]
Eh mine too. I got it because I had an essential package or whatever when they started forcing 2FA to people, and I thought twine would require me to authenticate with the key to be authorised to publish.

But they didn't touch twine at all. They just made me create a token and save it in a .txt file. That's it.

7. guappa ◴[] No.42183187{4}[source]
How could you ever enforce that?