On Sun, Jun 2, 2013 at 5:37 PM, holger krekel <[email protected]> wrote: > Speaking of TUF: is there some kind of PEP like doc floating already?
Just the proof-of-concept the TUF folks created about using it to secure /simple. I'm personally sold on the technology itself as something we should deploy in the long run, but I think it makes sense to wait until we have the static dependency metadata publication and various other PyPI related infrastructure issues sorted out before we try to offer additional protection above and beyond trusting the SSL CA system and PyPI itself. That said, one of the reasons PEP 426 calls out the "essential dependency resolution" fields is that those are the ones I think it may make sense to embed in the TUF custom metadata fields. Cheers, Nick. -- Nick Coghlan | [email protected] | Brisbane, Australia _______________________________________________ Distutils-SIG maillist - [email protected] http://mail.python.org/mailman/listinfo/distutils-sig
