12

I know it is unsafe to install software (including Python packages) from not trusted or compromised sources.

However I wonder how safe I am when I am installing a trusted package from Python Package Index or from Anaconda repository (which I also consider trusted).

Packages in PyPI may be PGP signed, which makes me believe it is fair safe to install/update them manually.

However, there is no automatic signature verification in pip and it seems there is not going to be.

I wonder how sure can I be there is no MITM attack when I connect to PyPI (or Anaconda) repositories with either pip, easy_install or conda?

I guess pip connection uses at least SSL with certificate verification (it is known to fail with SSL error), but given that pip used plain HTTP as default in 2013 I am pretty sceptical about how strict it is e.g. in case of trusted root CA (for example if it trusts StartCOM and WoSign or not).

Does anyone know what level of security do I have when I decide to use Python package managers?

Update

My question is about safety of PyPI (and similar) clients and their connection to server while Which security measures does PyPI and similar third-party software repositories take? is about whether packages at PyPI may be trusted. In my question PyPI and packages at the server site are assumed to be trusted.

GAD3R
  • 2,211
  • 3
  • 15
  • 38
abukaj
  • 273
  • 2
  • 7

1 Answers1

3

I setup MITM for pip to pypi.python.org and it seems that pip does indeed validate the certificate. It fails with SSLError: [SSL: CERTIFICATE_VERIFY_FAILED]. Maybe I will have more luck with other repositories...

Pip may not be checking gpg signatures but it's not like you are downloading from untrusted sources. For example, Linux packages are spread across mirrors all over the world, and without gpg it would be very likely that some of these packages would be compromised. In pip case, the only source for download is pypi.python.org which is using Fastly CDN for distribution instead of untrusted mirrors.

I don't know conda, never used it.

Aria
  • 2,706
  • 11
  • 19
  • What makes me wonder is how strict is `pip` with respect to root certificates? I mean, whether its authors keep an up-to-date list of trusted CAs, they use an outdated list, or they just embedded their trusted certificate in the `pip`? – abukaj Feb 05 '18 at 14:12
  • 1
    It looks like it's using pip's built-in ca cert, filename is cacert.pem. No idea how this file is updated and where this list comes from. It may be mozilla cacert.pem from cerifi module. But on some systems it may be some other cacert.pem file included by OS vendor. – Aria Feb 05 '18 at 19:06
  • Hi I have the same worries as abukaj ... Excuse my ignorance but https://github.com/pypa/pip/issues/5288#issuecomment-383071739 shows you can get the SSL error even for the valid pypi.org? Should I be cautious in using the bypass given there. – Relaxed1 May 10 '18 at 13:55