[openstack-dev] [Horizon] the future of angularjs development in Horizon
zigo at debian.org
Fri Nov 14 18:57:15 UTC 2014
On 11/14/2014 08:48 PM, Matthias Runge wrote:
> On 13/11/14 19:11, Donald Stufft wrote:
>> As far as I’m aware npm supports TLS the same as pip does. That secures the
>> transport between the end users and the repository so you can be assured
>> that there is no man in the middle. Security wise npm (and pip) are about
>> ~95% (mad up numbers, but you can get the gist) of the effectiveness as the
>> OS package managers.
> Oh, e.g rpm allows packages to be cryptographically signed, and
> depending on your systems config, that is enforced. This is quite
> different from just tls'ing a connection.
Just like the Debian Release file is signed into a Release.gpg. So, the
RPM system signs every package, while in Debian, it's the full
repository that is signed. That's 2 different approaches that both
works. pip doesn't offer this kind of security, but at the same time, is
there any kind of check for things that are uploaded to PyPi? Is there
at least a peer review process?
> You do realize that TLS provides cryptographic proof of authenticity
> and integrity just like PGP does right? (It also provides the cool
> benefit of privacy which PGP signing does not).
Do you realize that with the TLS system, you have to trust every and all
CA, while with PGP, you only need to trust a single fingerprint?
> All this isn't to say that TLS is 100% as good as using something
> like PGP for signatures though.
I don't agree. I don't trust the CNNIC or the hong-kong post office,
though their key is on every browser. I do trust the Debian PGP key
generated by the Debian team.
> TLS is a fairly decent way of securing a package infrastructure
> though, it prevents all of the major attacks that PGP signing does in
> practice but it moves the "high value" target from the build machines
> to the web servers [...]
And ... to a huge list of root CA which you have to trust.
More information about the OpenStack-dev