←back to thread

PyPI now supports digital attestations

(blog.pypi.org)
218 points miketheman | 1 comments | 14 Nov 24 14:25 UTC | HN request time: 0s | source
Show context
amelius ◴[14 Nov 24 23:56 UTC] No.42142619[source]
I'm curious what would happen if a maintainer's PC is compromised. Is there any line of defense left at that point?
replies(2): >>42144542 #>>42144678 #
guappa ◴[15 Nov 24 07:03 UTC] No.42144542[source]
None.

Developer machine will have ssh keys and github tokens that can be used to push a commit on github, that will be built, signed, and uploaded on pypi.

replies(1): >>42145462 #
amelius ◴[15 Nov 24 10:06 UTC] No.42145462[source]
That sounds like a gigantic attack surface then ...
replies(1): >>42145580 #
guappa ◴[15 Nov 24 10:31 UTC] No.42145580[source]
I think since when they have 2FA PyPI is less secure.

Before I could learn my password and type it on twine. If my machine was stolen no upload on pypi was possible.

Now it's a token file on my disk so if my machine is stolen, then token can be used to publish.

Using github to publish doesn't change anything: if my machine is stolen the token needed to publish is still there, but instead of directly to pypi it will need to go via github first.

replies(1): >>42146501 #
amelius ◴[15 Nov 24 12:59 UTC] No.42146501[source]
Tokens are a problem too (a yubikey might be a solution).

But an attacker could simply edit the source code on the maintainer's machine directly, and it could go unnoticed.

replies(2): >>42147003 #>>42183144 #
1. guappa ◴[19 Nov 24 13:24 UTC] No.42183144{3}[source]
> Tokens are a problem too (a yubikey might be a solution).

Not the way they implement things. When they started forcing people to use 2FA, google also made a titan keys giveaway. But you set it up on your account, generate a token and that's it.

Identical situation on github. Setup 2FA with an hardware key, then generate a token and never use the hardware key ever again.