On Jun 2, 2013, at 4:21 AM, Nick Coghlan <ncogh...@gmail.com> wrote:
> On Sun, Jun 2, 2013 at 5:37 PM, holger krekel <hol...@merlinux.eu> wrote: >> Speaking of TUF: is there some kind of PEP like doc floating already? > > Just the proof-of-concept the TUF folks created about using it to > secure /simple. I'm personally sold on the technology itself as > something we should deploy in the long run, but I think it makes sense > to wait until we have the static dependency metadata publication and > various other PyPI related infrastructure issues sorted out before we > try to offer additional protection above and beyond trusting the SSL > CA system and PyPI itself. > > That said, one of the reasons PEP 426 calls out the "essential > dependency resolution" fields is that those are the ones I think it > may make sense to embed in the TUF custom metadata fields. > > Cheers, > Nick. > > -- > Nick Coghlan | ncogh...@gmail.com | Brisbane, Australia > _______________________________________________ > Distutils-SIG maillist - Distutils-SIG@python.org > http://mail.python.org/mailman/listinfo/distutils-sig If we deploy some sort of end to end signing I think TUF is a good implementation of it. I'm not sold on the possibility of reasonably doing end to end signing here though. ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org http://mail.python.org/mailman/listinfo/distutils-sig
