On Sun, Feb 10, 2013 at 10:57 PM, Jesse Noller <[email protected]> wrote: >> The main benefit in my mind is that it isn't a from-scratch design of >> a secure update infrastructure. Instead, it's a project that was >> started in order to resolve some security holes found in Tor's already >> robust automatic update mechanism, then proceeded from there into >> updates to yum, yast, apt, etc (i.e. the distro update mechanisms that >> are vetted by the security teams of the various Linux vendors). The >> fact Geremy Condra is involved in TUF also counts for a lot with me >> (as I suspect it would for many people that have heard Geremy talk >> about security issues in Python). >> > That *is* a big +1 from me; do you think we can loop him into these > discussions? If you don't have his email, I do.
I've asked the TUF folks to come to the packaging & distribution mini-summit I'm organising at PyCon US. While I think it's worth getting the enhanced SSL infrastructure in place soon in order to better secure the status quo, I think we can be a bit more measured in the way we approach the creation of a secure and usable end-to-end software distribution design. Cheers, Nick. -- Nick Coghlan | [email protected] | Brisbane, Australia _______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
