Hey. On Fri, Feb 17, 2023 at 3:35 PM Stefano Rivera <stefa...@debian.org> wrote: > There is probably some value there. You're safer from a variety of > attacks that *could* theoretically happen on PyPI.
Well such language specific package repos (like pypi, npmjs, etc.) have already been (numerous) times been victims from such attacks. So it's not just a theoretical issue, I think. > But, let me deflate Debian's reputation a bit here. > Debian security support doesn't mean you're completely protected. There > is probably a human behind a Debian upload that has vetted the upload > and thinks it is safe. They thought this thing was useful to package for > Debian (so probably not malware), and did some review to see that it > installed itself correctly. They may have reviewed the upstream code, > they may not have. They may review new upstream version diffs, they may > not. (Generally, small things are easy to review, big complex things are > impossible to.) Sure, there are no code audits by Debian maintainers, there's no guarantee that the maintainer retrieved the code in a secure way (whatever that would be). Still, even the download method of PyPI (and friends) - https - has all kinds of issues. Typically one has something of around 150 root CAs trusted, plus several thousands(?) of intermediate CAs from them. Many of those in the hands quite questionable countries or organizations. Again, the DM might just as well download the code via https (and not verify some upstream gpg, if present at all). But at least this would cause *all* Debian users (of that package) to be compromised, which in turn makes it much more likely that any compromise would get noticed. Attacks specific to a single person are no longer easily possible. > But, on balance, for many problems the gains here aren't worth the pain > of restricting yourself to Python modules published in Debian stable > releases. Well I guess it's clear there's no 100% protection. In the end it's simply just nice if one can easily choose whichever one wants. If someone wants to use PyPI code, fine, if someone wants to restrict himself to Debian-only, fine too. Anyway, thanks :-) Regards, Philippe.
