Comments (7)
NicoHood
commented on September 2, 2024
1
I read some very interesting article month ago about the exact same issue for node modules. This was an imaginary story about what could happen:
https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5
Ironically it happened:
https://www.bleepingcomputer.com/news/security/compromised-javascript-package-caught-stealing-npm-credentials/
Okay, let me clarify:
Warehouse/pip developers refuse to add gpg signatures to their packaging system. That is really not a good idea, as stated in the comments of the issue you linked.
I am asking, because I am packaging your software for an ArchLinux system. It definitely would give us additional security across multiple releases. If you sign your releases, we would notice if compromised packages will be uploaded to the existing or new release.
We do not want to blindly download packages from github/pypi or via pip. It is sad enough that they dont provide security features, so the only way to secure packages is to do it via your operating system of trust.
So please take this issue serious and rethink your decision.
from aiohttp-cors.
NicoHood
commented on September 2, 2024
1
No, I need to convince you. Because the distribution packages do not use pypi, they use your sources published on github. And those can be verified, if gpg signatures are provided and it would help us a lot.
I'd love to bring homeassistant to the official archlinux repository, but my personal requirement for this is to have all dependencies gpg signed - for the security of all users and my responsiblity. And your package is one of those dependencies.
from aiohttp-cors.
asvetlov
commented on September 2, 2024
1
Sorry, the answer is no.
GPG signing requires changing our autodeployment process, I don't want to touch it.
Say again, if PyPI is not secure enough to your requirements -- please convince its maintainers to raise up the protection level.
I don't want to do an extra work unless it the work is required.
from aiohttp-cors.
NicoHood
commented on September 2, 2024
1
I understand that you want to avoid additional work.
Uploading an additioal, signed tarfile should be not much of work though and integrate with your current workflow. Even gpgit can handle existing git tags and upload signed archived automated to github. It cant get easier than that.
from aiohttp-cors.
asvetlov
commented on September 2, 2024
No.
The official PyPI position is: we don't need this feature.
See https://caremad.io/posts/2013/07/packaging-signing-not-holy-grail/ and pypi/warehouse#3356 (as very many articles/issues about GPG signing on PyPI).
from aiohttp-cors.
NicoHood
commented on September 2, 2024
Any updates on this?
from aiohttp-cors.
asvetlov
commented on September 2, 2024
You need to convince not me but PyPI team
from aiohttp-cors.
Related Issues (20)
- Wildcard ports for localhost HOT 5
- method '*' treated differently from others HOT 9
- What is the best way to grant CORS for all subdomains dynamically? HOT 6
- Cors and IOS Safari HOT 3
- Only 1 is allowed HOT 1
- thx for password and key to pypi HOT 1
- Python 3.8 test_static_resource failure: TypeError: issubclass() arg 1 must be a class
- DeprecationWarnings with Python 3.8: "@coroutine" decorator
- cant import aiohttp_cors HOT 1
- python3.7 HOT 3
- Does this project follow semver? HOT 1
- Dependabot couldn't authenticate with https://pypi.python.org/simple/
- Routing hierarchy confusion with CORs
- Should aiohttp-cors add a Vary: Origin when emitting a access-control-allow-origin? HOT 1
- 0.7.0 + master: pytest is failing HOT 2
- Is it possible to return `Access-Control-Allow-Origin: *` in response to preflight request instead of existing `Origin` header?
- Regex domains
- Lets through Postman / Curl requests HOT 2
- Let's put `aiohttp-cors` under the `aio-libs` org on PyPI
- How can I enforce CORS despite middlewares?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aiohttp-cors.