pip: Documentation Error: Hashes are for integrity, not security

Description

Currently the documentation has a subsection titled Hash-checking Mode under a section called Secure installs.

This is extremely misleading because checking hashes (that are not cryptographically signed) does not provide additional security via authenticating the package cryptographically.

Hash checking is for verifying that the file wasn’t corrupted when it was being downloaded. It verifies integrity. It does not verify that the package wasn’t maliciously altered. Note that this is the case because if the package was maliciously altered (eg by a publishing infrastructure compromise), then the attacker could just as easily modify the hashes such that pip will happily install the malicious module.

Security via payload authentication is done with cryptographic signature. Commonly, this involves hashes by signing a digest file including hashes. But if the hashes are not cryptographically singed, then only integrity is assured; authenticity is not assured.

Expected behavior

The documentation should move the Hash-checking Mode into another section titled Corruption Checking and it should add a warning indicating that pip currently does not have a built-in mechanism to cryptographically verify the authenticity of packages that it downloads, which leaves users vulnerable to downloading malicious software due to attacks such as publishing infrastructure compromise

pip version

Python version

OS

How to Reproduce

  1. Go to the sphinx docs (generated by this repo’s docs dir) https://pip.pypa.io/en/stable/topics/secure-installs/
  2. See misleading documentations with factual errors

Output

No response

Code of Conduct

About this issue

  • Original URL
  • State: closed
  • Created 4 months ago
  • Comments: 21 (11 by maintainers)

Most upvoted comments

The hash feature doesn’t provide “some security”. It provides zero security. Without a signature, It protects against corrupt downloads. That’s not security

It is some level of security. There are scenarios where it matters Here we simply disagree.,

Utlimately pip maintainers decide how they want to communicate with their users. That’s their right and well, you might argue as much as you want, but all you might have are opinions, and proposals. And decisions are not yours to make.

On a human level I have a suggestion to you @maltfield - before it gets any further. Remember there are other humans on the other side.

I propose you to consider that you’ve been listened to, your opinion was considered and rejected. Happens.

I think appreciating all the effort that maintainers do to make things working well (and every day better) in order you can use the software for free, often in their own personal time, away from their families, and things they get money for, I think appreciation of that is better than fighiting with them over minute and completely meaningless details in a long run.

If I may suggest something from my experience - even if I finally got the small thing I fought for - that was overall a bad idea for me to get confrontational here. If I regret something then was how short-sighted and stupid I was back then to get into that rabbit hole, and I would gladly go back in time and revert it.

IMHO you will get much more with accepting and trying to understand the other side an accepting that other people. might have different opinions and when they have a merit of the projects, they have the right to make decisions that are right for them and their users.

But, well that’s my opinion, experience and advice - you might take it or not, up to you.

+1
potiuk on Feb 26, 2024
Read more comments on GitHub
← pip: Documentation doesn't explain that we build wheels and install from them
pip: Don't expect so many failures →