eugenekolo / pip-install Goto Github PK
View Code? Open in Web Editor NEWLicense: MIT License
License: MIT License
Describe the bug
When a user downloads this python module using pip
, there is no cryptographic authenticity or integrity validation to protect the user from a MITM attack.
Therefore, this project is making any other projects that obtain the install
module via pip
in their build process vulnerable to a watering hole attack.
Expected behavior
A developer should have a mechanism to cryptographically verify the integrity and authenticity of this package when obtaining it through pip
.
To Reproduce
pip install install
Additional context
As far as I can tell, this is the only package required for @theupdateframework that cannot be cryptographically validated when installing tuf
and its dependencies on Debian, which is a pretty important security risk for users trying to bootstrap a secure updater that itself can't be secured.
Possible solutions include:
Using the --sign
argument of twine
when uploading packages to PyPI
Publishing a cryptographically signed document (ideally using gpg
) listing the hashes for all packages uploaded to PyPI, which users can then pass into pip
using the --hash
argument
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.