PMXBOT Log file Viewer

Help | Karma | Search:

#pypa-dev logs for Wednesday the 12th of November, 2014

(Back to #pypa-dev overview) (Back to channel listing) (Animate logs)
[00:59:58] <dstufft> don't worry, putting new feautres into 2.7.999 gets people to yell at you too
[01:00:08] <dstufft> but it also gets new features in a python that people actually use
[01:02:55] <Alex_Gaynor> dstufft: "have we considered 2.6.999999" ;-)
[18:56:28] <abadger1999> Is there a way to turn off pip's use of md5?
[18:57:13] <abadger1999> I'm testing working on some code that runs pip on a FIPS-140-2 system and pip throws an exception because it attempts to use md5 hashing.
[18:57:47] <abadger1999> either turning off the checksum checking or using an alternate hash would work for my purposes.
[19:08:18] <Alex_Gaynor> abadger1999: I don't think there's a thing for that; it's not clear to me what the "user safe" way to do that would be
[19:08:36] <Alex_Gaynor> what can you do if you want to turn it off, besides just ignore it, it's not like sha256 is available for most of those packages
[19:08:57] <abadger1999> yeah, agreed. Have to just ignore it.
[19:09:04] <abadger1999> Maybe print a warning.
[19:09:44] <abadger1999> My understanding is that security is supposed to come from https -- md5 is just part of verifying against corruption while downloading.
[19:10:24] <Alex_Gaynor> yeah -- normally I'd say, how does corruption survive tcp checksums, and the hmac in tls... but I've seen the md5 catch stuff before
[19:10:46] <Alex_Gaynor> abadger1999: I think you'll probably have to patch pip up
[19:12:15] <abadger1999> Alex_Gaynor: <nod> Thanks. for now, I'm just going to document that our pip module doesn't work if you have to suffer through FIPS-mode.
[19:12:26] <abadger1999> users ought to be used to it since they can't run CLI pip either.
[19:13:30] <Alex_Gaynor> abadger1999: yeah, fwiw it's relatively straightforward to patch if you want to
[19:13:38] <Alex_Gaynor> abadger1999: just remove md5 from https://github.com/pypa/pip/blob/develop/pip%2Findex.py#L1048
[19:15:59] <abadger1999> <nod> I may take a look ; I'd have to look for something that would be acceptable for upstream pip if I did though, so I'd probably have to look a little deeper.
[19:17:02] <Alex_Gaynor> dstufft: what would block phasing out md5 for file ntegrity checks?
[19:17:43] <Alex_Gaynor> it looks like everything on pypi/warehouse just has an md5, so I guess that's the main blocker
[19:18:09] <dstufft> well PyPI can switch to sha256
[19:18:10] <dstufft> I tried doing it before
[19:18:16] <dstufft> PEP 470 would make it easier
[19:18:30] <Alex_Gaynor> how so?
[19:18:51] <dstufft> Note this: crazy distutils-sig logic not normal logic
[19:19:00] <Alex_Gaynor> oh. sorry. carry on
[19:19:01] <dstufft> but there is ~60 some packages relying on md5 not TLS for security
[19:19:26] <Alex_Gaynor> :V
[19:19:40] <Alex_Gaynor> so, there's 60 packages that are vulnerable to a large class of issues
[19:19:52] <dstufft> these are the externally hosted but "safe" packages
[19:19:53] <abadger1999> ah because the package source isn't hosted directly on pypi so it's retrieved over plain http:// ?
[19:19:56] <Alex_Gaynor> not replacement by arbitrary packages... probably... maybe
[19:20:03] <Alex_Gaynor> but definitel can have their content modified
[19:20:09] <Alex_Gaynor> ala flame
[19:20:56] <dstufft> yea
[19:21:08] <dstufft> collision attacks are, to my knowledge, only useful if your the original author
[19:21:18] <Alex_Gaynor> let me think
[19:21:25] <dstufft> in which case if you don't trust the original author you're already outside of our current threat model
[19:21:37] <agronholm> Jurko: are you the jurko who forked suds?
[19:21:50] <dstufft> last time I had this argument PJE was one of the major people against it
[19:21:59] <dstufft> and as far as I can tell PJE stopped caring about distutils-sig
[19:22:08] <dstufft> so it's possible we can change it
[19:22:22] <Alex_Gaynor> dstufft: so, strictly speaking pre-image resistance is broken for md5, the known attack is still computationally infeasable, but it's broken
[19:22:54] <dstufft> Alex_Gaynor: want to make a distutils-sig post about md5 on PyPI? :D
[19:23:00] <Alex_Gaynor> dstufft: I would just assume it's fully broken.
[19:23:09] <Alex_Gaynor> Gosh. ok.
[19:23:48] <dstufft> if PyPI switched to sha256, I imagine pip would likely be happy to just drop support for md5 and probably sha1 completely
[19:30:49] <Alex_Gaynor> dstufft: https://bpaste.net/show/b67c398cae4e < abadger1999 does that accurately describe your issue
[19:32:11] <dstufft> Alex_Gaynor: we can probably auto upgrade those ~60 packages by just downloading them, checking the md5sum, and then generate a sha256sum
[19:32:16] <abadger1999> Alex_Gaynor: +1 Looks good to me.
[19:32:21] <Alex_Gaynor> dstufft: ah good point.
[19:32:57] <dstufft> might want to say "and setuptools" too
[19:33:12] <dstufft> setuptools supports multi hashes too like pip does -> https://github.com/jaraco/setuptools/blob/master/setuptools/package_index.py#L230-L233
[19:33:18] <Alex_Gaynor> dstufft: cool, will mention that
[19:33:48] <dstufft> there's a small window between where setuptools implemented TLS verification adn before it supported multi hashes, but it was back in the 0.7 era and I don't think it matters much
[19:34:05] <Alex_Gaynor> dstufft: http://paste.openstack.org/show/132486/ look good?
[19:34:39] <dstufft> lgtm
[19:34:48] <Alex_Gaynor> cool, shipping it
[19:35:30] <Alex_Gaynor> dstufft: posted
[19:43:59] <dstufft> Alex_Gaynor: +1'd
[19:44:05] <Alex_Gaynor> dstufft: A+
[20:02:16] <Jurko> agronholm: yup, that's me...
[20:02:34] <agronholm> Jurko: nice
[20:02:40] <agronholm> I'll be needing it later this month
[20:03:26] <Jurko> agronholm: hope it helps :-) let me know how it goes...