←back to thread

218 points miketheman | 6 comments | | HN request time: 0.013s | source | bottom
Show context
belval ◴[] No.42137562[source]
I have a bit of uneasiness about how this is heavily pushing GitHub actions as the correct way to publish to PyPI. I had to check PEP740 to make sure it was not directly supported by Microsoft.

> The generation and publication of attestations happens by default, and no changes are necessary for projects that meet all of these conditions: publish from GitHub Actions; via Trusted Publishing; and use the pypa/gh-action-pypi-publish action to publish.

If you then click on "The manual way" it adds a big disclaimer:

> STOP! You probably don't need this section; it exists only to provide some internal details about how attestation generation and uploading work. If you're an ordinary user, it is strongly recommended that you use one of the official workflows described above.

Where the only official workflow is "Use GitHub Actions".

I guess I am an idealist but as a maintainer this falls short of my expectations for the openness of Python and PyPI.

replies(9): >>42137628 #>>42137831 #>>42138035 #>>42138967 #>>42140525 #>>42140881 #>>42142188 #>>42144001 #>>42144423 #
doctorpangloss ◴[] No.42140525[source]
On the one hand, you are totally right, GitHub Actions are the VS Code of automation. People choose them because they are broke, they work well enough, and the average person chooses things based on how it looks. GitHub Actions looks easy, it's cozy, it's comfy, VS Code looks like a code editor, everything has to be cozy and comfy.

On the other hand, considering all of that, you can see why Python would arrive at this design. They are the only other people besides NPM who regularly have supply chain attack problems. They are seemingly completely unopinionated about how to fix their supply chain problems, while being opinionated about the lack of opinions about packaging in general. What is the end goal? Presumably one of the giant media companies, Meta, Google or Microsoft maybe, have to take over the development of runtime and PEP process, but does that even sound good?

replies(1): >>42141248 #
LtWorf ◴[] No.42141248[source]
I think the end goal is to only allow github/google whatever accounts to publish code on Pypi, so importing whatever will be USA-sanctions safe.

The burden to ban russians/koreans/iranians will be on those big companies and pypi will be able to claim they respect the rules without having the resources themselves to ban accounts from sanctioned countries.

So in my opinion, in the future tooling will have some option to check if the software was uploaded via microsoft et al and can be considered unsanctioned in USA.

Or they might just say that's how you upload now and that's it.

replies(2): >>42141438 #>>42141488 #
woodruffw ◴[] No.42141488[source]
None of this is true. There is no plan to disable API token uploads to PyPI or to mandate Trusted Publishing, much less attestations. It's entirely intended to be a misuse-resistant way to upload to the index in the "happy case" where the package uses a CI/CD workflow that supports OpenID Connect.

(I'm disappointed by the degree to which people seem to gleefully conspiracize about Python packaging, and consequently uncritically accept the worse possible interpretation of anything done to try and improve the ecosystem.)

replies(2): >>42141561 #>>42143482 #
zahlman ◴[] No.42143482[source]
>(I'm disappointed by the degree to which people seem to gleefully conspiracize about Python packaging, and consequently uncritically accept the worse possible interpretation of anything done to try and improve the ecosystem.)

I sympathize, but there are obvious reasons for this: low trust in the Python packaging system generally (both because of recent PSF activity and because of the history of complications and long-standing problems), and the fact that many similar things have been seen in the Linux and open-source worlds lately (for one example, Linux Mint's new stance on Flatpak and how they present Flatpak options in the Software Manager). (Edit: it also kinda rhymes with the whole "Secure Boot" thing and how much trouble it causes for Linux installation.)

replies(1): >>42147368 #
woodruffw ◴[] No.42147368[source]
I personally expect people to have better compartmentalization skills than this. It's both unreasonable and inappropriate to have a general chip on your shoulder, and consequently assume a negative interpretation of an unrelated security effort.
replies(1): >>42148402 #
1. LtWorf ◴[] No.42148402{3}[source]
It happens that people don't trust you if you are being obviously dishonest.

I still have to understand how the github credentials stored on my computer are harder to steal than the pypi credentials stored on the very same computer.

If you can explain this convincingly, maybe I'll start to believe some of the things you claim.

replies(2): >>42149061 #>>42149259 #
2. woodruffw ◴[] No.42149061[source]
> I still have to understand how the github credentials stored on my computer are harder to steal than the pypi credentials stored on the very same computer.

This is not, and has never been, the argument for Trusted Publishing. The argument is that temporary, automatically scoped credentials are less dangerous than permanent, user scoped credentials, and that an attacker who does steal them will struggle to maintain persistence or pivot to other scoped projects.

The documentation is explicit[1] about needing to secure your CI workflows, and treating them as equivalent to long-lived API tokens in terms of security practices. Using a Trusted Publisher does not absolve you of your security obligations; it only reduces the scope of failures within those obligations.

[1]: https://docs.pypi.org/trusted-publishers/security-model/

replies(1): >>42152508 #
3. justincormack ◴[] No.42149259[source]
My github credentials are all stored in hardware devices.
replies(1): >>42152495 #
4. LtWorf ◴[] No.42152495[source]
Yes a computer is a hardware device.
5. LtWorf ◴[] No.42152508[source]
> The argument is that temporary, automatically scoped credentials are less dangerous than permanent, user scoped credentials

Nobody forced you to implement never expiring global tokens in pypi…

replies(1): >>42157391 #
6. zahlman ◴[] No.42157391{3}[source]
Indeed. I have to wonder: if being able to authenticate to GitHub, upload one's code there, and then coordinate a transfer from there to PyPI through the approved mechanisms is good enough... then why can't PyPI just use the same authentication method GitHub does?

It seems hard to justify "we want to ensure the build is reproducible" when there is no system to attempt the build on PyPI's end and the default installer is perfectly happy to attempt the build (when no prebuilt version is available) on the user's machine - orchestrated by arbitrary code, and without confirmation as a default - without a chance to review the downloaded source first.

It seems hard to justify "we want to limit the scope of the authentication" when "a few minutes" is more than enough time for someone who somehow MITMed a major package to insert pre-prepared malware, and access to a single package from a major project affects far more machines than access to every repo of some random unimportant developer.

(The wheel format has hashes, but the sdist format doesn't. If these sorts of attacks aren't meaningfully mitigated by wheel hashes, what is the RECORD file actually accomplishing? If they are, shouldn't sdists have them too?)