Replay and freeze attacks for pip without TUF

In a replay or freeze attack, we prevent pip from seeing updates by replaying previous metadata or data. This means that users will not be able to see the latest security updates to packages.

First, we set up the virtual environment (for cleanroom testing) and install pip-without-TUF:

$ cd  /tmp
$ curl -O https://pypi.python.org/packages/source/v/virtualenv/virtualenv-1.10.1.tar.gz
$ tar xvfz virtualenv-1.10.1.tar.gz
$ python virtualenv-1.10.1/virtualenv.py --no-site-packages replay-without-tuf
$ source replay-without-tuf/bin/activate

First, suppose the attackers on PyPI show you the current FooBar (0.2):

$ pip install FooBar --index-url http://mirror1.poly.edu/test-pip/replay/repository.current/targets/simple/
Downloading/unpacking FooBar
  Downloading FooBar-0.2.tar.gz
  Running setup.py egg_info for package FooBar
    Installing collected packages: FooBar
  Running setup.py install for FooBar
    FooBar 0.2
    Successfully installed FooBar
Cleaning up...

Now, when you try to upgrade FooBar, suppose the attackers on PyPI replay previous FooBar (0.1.):

$ pip install FooBar --upgrade --index-url http://mirror1.poly.edu/test-pip/replay/repository.previous/targets/simple/
Requirement already up-to-date: FooBar in ./replay-without-tuf/lib/python2.7/site-packages
Cleaning up...

Finally, when you try to upgrade FooBar, suppose the attackers on PyPI froze the current FooBar (0.2):

# Fast-forward system clock to the future.
$ sudo date --set="Sep 1 01:54:38 UTC 2014"

$ pip install FooBar --upgrade --index-url http://mirror1.poly.edu/test-pip/replay/repository.current/targets/simple/
Requirement already up-to-date: FooBar in ./replay-without-tuf/lib/python2.7/site-packages
Cleaning up...

# Return system clock to a current time.
$ sudo ntpdate-debian

These unfortunate situations could have been avoided with the replay and freeze attack protection offered by PyPI-with-TUF.