Hi Trishank, On Wed, Jul 31, 2013 at 10:02 -0400, Trishank Karthik Kuppusamy wrote: > Hello Holger, > > On 07/31/2013 08:13 AM, holger krekel wrote: > >thanks for the high level overview. Do you have a current web page with > >more detailed technical info with respect to PyPI/TUF? > > Good question! I think it is a good idea to put up a "PyPI+pip+TUF > current status" page on our web site, but in the meantime, here are > a few links which should point you in the right direction: > > 1. pip+TUF: we use the interposition technique > [https://github.com/theupdateframework/tuf/tree/master/tuf/interposition] > to minimally modify pip > [https://github.com/theupdateframework/pip/compare/tuf] to talk to a > TUF-secured PyPI mirror. > > 2. PyPI+TUF: we use automation to build a testbed for investigating > different key management and metadata schemes to secure PyPI > [https://github.com/theupdateframework/pypi.updateframework.com]. > (Note: at the time of writing, the automation is slightly > out-of-date with our work-in-progress.) > > 3. These two links should give you a good picture, but they will not > give you a complete one. We will formally write about what we mean > with our upcoming key management as well as metadata generation and > download scheme. Let me start a document and get back to you on > that.
thanks for the links. They contain code instructions but i am not sure i get the overall picture yet. Do you have a whitepaper or overview describing the approach wrt to PyPI? If i understand the code correctly, you are implementing key signing, verification and revocation through calling openssl library functions. Have you considered just invoking or interfacing with "gpg"? On a minor note, for creating a pypi mirror it's better to use bandersnatch instead of pep381 (i am refering to this here: https://github.com/theupdateframework/pip/wiki/PyPI-over-TUF#mirror-pypi ) Lastly, maybe the advertisement that "TUF is like the 'S' in HTTPS" is not really a good advertisement given the several currently discussed problems with HTTPS, the most recent one being the BREACH attack: http://arstechnica.com/security/2013/08/gone-in-30-seconds-new-attack-plucks-secrets-from-https-protected-pages/ :) cheers, holger > Thanks, > Trishank > _______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org http://mail.python.org/mailman/listinfo/distutils-sig
