[infra] Missing releases from opendev.org/opendev/git-review/tags

Jeremy Stanley fungi at yuggoth.org
Tue Jan 4 23:11:50 UTC 2022

On 2022-01-04 16:13:17 -0600 (-0600), Pete Zaitcev wrote:
> As it happens, just a short time back, I ran into an issue with
> PyPI.[1] Basically, it's possible to upload something there and
> nobody knows anything about it. Is that loss of audit trail a
> concern for our releases?
> -- Pete
> [1] https://zaitcev.livejournal.com/263602.html

That sounds like one of the nose maintainers uploaded a broken file
to PyPI, or someone compromised one of their accounts, or hijacked
the upload mechanism they were relying on. I'm not sure it's
evidence that PyPI itself is untrustworthy, the same can happen (and
has) in other places like NPM... really any artifact registry is
susceptible if there are no cryptographic signatures or external
checksums to validate the files, or if the compromise happens
earlier in automation than where checksums or signatures are
generated for that matter.

Was the altered code malicious? Did the maintainers publish a
security advisory somewhere with details? The PyPI maintainers are
generally willing to help investigate such incidents, and are in the
process of pushing stronger authentication mechanisms (2FA for
logins, separate upload tokens, TUF for artifact attestation).

Anyway, back to the original topic, I don't think any of us were
strongly against hosting copies of the release tarballs/wheels for
OpenDev's Python-based utilities, we just hadn't taken the time to
set up jobs to upload them anywhere besides PyPI nor decided on any
sort of signing/attestation solution (reuse what we're doing for
OpenStack with the OpenStack release signing key? Create a separate
OpenDev release signing key and use that? Switch OpenStack's
releases to an OpenDev signing key too? Do something other than
OpenPGP signatures in the wake of the SKS WoT collapse?).
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20220104/60d4a7f5/attachment.sig>

More information about the openstack-discuss mailing list