←back to thread

218 points miketheman | 1 comments | | HN request time: 0s | source
Show context
amelius ◴[] No.42142619[source]
I'm curious what would happen if a maintainer's PC is compromised. Is there any line of defense left at that point?
replies(2): >>42144542 #>>42144678 #
guappa ◴[] No.42144542[source]
None.

Developer machine will have ssh keys and github tokens that can be used to push a commit on github, that will be built, signed, and uploaded on pypi.

replies(1): >>42145462 #
amelius ◴[] No.42145462[source]
That sounds like a gigantic attack surface then ...
replies(1): >>42145580 #
guappa ◴[] No.42145580[source]
I think since when they have 2FA PyPI is less secure.

Before I could learn my password and type it on twine. If my machine was stolen no upload on pypi was possible.

Now it's a token file on my disk so if my machine is stolen, then token can be used to publish.

Using github to publish doesn't change anything: if my machine is stolen the token needed to publish is still there, but instead of directly to pypi it will need to go via github first.

replies(1): >>42146501 #
amelius ◴[] No.42146501[source]
Tokens are a problem too (a yubikey might be a solution).

But an attacker could simply edit the source code on the maintainer's machine directly, and it could go unnoticed.

replies(2): >>42147003 #>>42183144 #
cpburns2009 ◴[] No.42147003{3}[source]
I doubt Yubikey would help without some fancy setup. 2FA is required to sign into PyPI but that's it. When PyPI rolled it out I thought you'd have to use 2FA every time you publish. I thought they were taking security seriously. But no, you get your API token, save it to your computer, forget about it, and you can publish your packages forever. Now you can have Github automatically publish your packages. That's not any improvement to security. My Google security key is just collecting dust.
replies(2): >>42155786 #>>42183164 #
amelius ◴[] No.42155786{4}[source]
I'm now thinking about a system that can enforce that any line of code committed to the Git repo has been on the user's screen for at least X seconds. It could be a system completely isolated from the computer on which code is entered (e.g. via the HDMI cable).
replies(1): >>42183187 #
1. guappa ◴[] No.42183187{5}[source]
How could you ever enforce that?