On Tue, Feb 12, 2013 at 12:44 -0500, Daniel Holth wrote: > On Tue, Feb 12, 2013 at 11:27 AM, Giovanni Bajo <ra...@develer.com> wrote: > > > > > > Your Task #6/#7 (related to PyPI generating the trust file, and pip > > > verifying it) are the ones where I think the input of the TUF team > > > will be most valuable, as well as potentially the folks responding to > > > the rubygems.org attack. > > > > My undestanding is that #6/#7 are not currently covered by TUF. So yes, I > > would surely value their input to review my design, evolve it together or > > scratch it and come up with something new. > > > > Sorry for the repetition, but I also volunteer for implementation. I don't > > mind if someone else does it (or a subset of it, or we split, etc.), but I > > think it is important to say that this is not a theoretical proposal that > > someone else will have to tackle, but I'm happy to submit patches (all of > > them, in the worst case) to the respective maintainers and rework them > > until they are acceptable. > > > > > The rubygems.org will also be looking at server side incident response > > > - I suspect a lot of that side of things will end up running through > > > the PSF infrastructure team moreso than catalog-sig (although it may > > > end up here if it involves PyPI code changes. > > > > > > While I do have some ideas, I don't think I'm fully qualified for that > > side of things. Primarily, my proposal helps by not forcing PyPI to handle > > an online "master" signing key with all the required efforts (migration, > > rotation, mirroring, threat responses, mitigations, etc.). If you read it, > > you had seen that PyPI is only required to validate signature (like pip), > > not sign anything. > > > > The alternative is to just use a system implemented by several PhD > [candidates?] in 2010 based on years of update system experience, before > pypi security was cool. A doc from last week is a hard sell.
For one, not all PHDs follow clean implementation and automated testing principles. Secondly, I appreciate Giovanni's input, work, and his offer to help with implementation. Let's not be too quick to dismiss it. On a funny sidenote, he is the only one with a successfully openssl-verified email in these security related email threads, just saying :) best, holger _______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig