"we require you to provide PGP signatures for all your artifacts (all files except checksums), and distribute your public key to a key server like http://pgp.mit.edu."
>anyone can make a signature
The article flip flops on this.
any hacker can do it
it's too much burden for developers
>any malicious package author can point people at a maliciously-owned signature as well
Anyone can also verify ownership of the key before accepting packages signed by it. This is something professionals do. This is something institutions do. This is something three letter agencies do.
>Does such a tool exist
There are CVEs for python. One could even scan a repository using those. Java has prebuilt tools for this. OWASP has the dependency-check plugin for Maven. Nexus uses the same information in their repository health checks.
>have you proposed it as part of pypi's infrastructure? I am sure they'd be interested in that.
Why would I? Given their response to signed packages, I would expect a response along the lines of "Too much burden. Too hard. Not perfect. Not worth it. Security theater. Go away. Ur dumb."
>I'm not sure how the license file of a product impacts the issue of it being malware or not.
It's one of those nice features of good repository management. Do python packages even list licenses? I mean, I assume they would, but then, they actively resist implementing other basic things which I would just assume they could do.
Licenses change over time. Some enterprises treat GPL like a virus. Knowing ReactJS changes from Apache to BSD + Patents in a new version is as important to someone in the business as knowing if a package is compromised.
>it appears to be a closed-source, commercial product
Nexus OSS is open source, Nexus Professional is commercially licensed. The later has a few nice features the former does not. Both can manage PyPi, NPM, Ruby, Docker, Maven, and Nuget repos to name a few.
https://maven.apache.org/guides/mini/guide-central-repositor...
"we require you to provide PGP signatures for all your artifacts (all files except checksums), and distribute your public key to a key server like http://pgp.mit.edu."
>anyone can make a signature
The article flip flops on this.
any hacker can do it
it's too much burden for developers
>any malicious package author can point people at a maliciously-owned signature as well
Anyone can also verify ownership of the key before accepting packages signed by it. This is something professionals do. This is something institutions do. This is something three letter agencies do.
>Does such a tool exist
There are CVEs for python. One could even scan a repository using those. Java has prebuilt tools for this. OWASP has the dependency-check plugin for Maven. Nexus uses the same information in their repository health checks.
>have you proposed it as part of pypi's infrastructure? I am sure they'd be interested in that.
Why would I? Given their response to signed packages, I would expect a response along the lines of "Too much burden. Too hard. Not perfect. Not worth it. Security theater. Go away. Ur dumb."
>I'm not sure how the license file of a product impacts the issue of it being malware or not.
It's one of those nice features of good repository management. Do python packages even list licenses? I mean, I assume they would, but then, they actively resist implementing other basic things which I would just assume they could do.
Licenses change over time. Some enterprises treat GPL like a virus. Knowing ReactJS changes from Apache to BSD + Patents in a new version is as important to someone in the business as knowing if a package is compromised.
>it appears to be a closed-source, commercial product
Nexus OSS is open source, Nexus Professional is commercially licensed. The later has a few nice features the former does not. Both can manage PyPi, NPM, Ruby, Docker, Maven, and Nuget repos to name a few.
https://www.sonatype.com/nexus-repository-oss
>I would encourage you to write a comprehensive rebuttal to the blog post you refer towards
It's easier to fool people than to convince them that they have been fooled. -- Mark Twain