On Sat, Sep 21, 2013 at 6:12 PM, Trishank Karthik Kuppusamy < [email protected]> wrote:
> Hello Donald, > > > On 09/21/2013 05:54 PM, Donald Stufft wrote: > >> >> Is it possible to do this in a pure python library? I know there are pure >> python libraries for ed25119 that are written by the author so they >> should be good to use. >> >> > It should be possible to do in pure Python all the cryptography that TUF > needs. The performance may not be so good with sufficiently large RSA keys, > but I think that is a bottleneck only when creating those keys and signing > metadata with those keys. Verifying signatures created by those keys should > be cheap enough, and that is how most people would use TUF (for reading, > not writing). Vlad, what do you think? According to the author the pure python implementation is very slow and vulnerable to side-channel attacks, although we have not compared it against the cryptography libraries we have considered. It is also only an elliptic-curve public key signature scheme. We should consider, especially if we are being restricted to pure Python, but the Python implementation appears (IMO) to be for educational purposes. >> Before we go any further, though, we would like your thoughts on the >> matter. Should we modify the PyPI server ourselves? Or should we >> wait for Warehouse instead? We want to work together with the DistUtils >> SIG community on all of this, and would appreciate any feedback and >> thoughts you have for us. What would you like to see from us? >> > > What does an integration look like? What time frame are you looking at > completing this? Warehouse is where the future of PyPI is and I'm loathe > to add much else to the old code base, but Warehouse is very incomplete > at the moment. > > By an integration, we mean this scenario: developers will be able to > register their package-signing keys with PyPI (by uploading their public > keys), and sign for package metadata themselves with their private keys. > Among other things, the PyPI server will also have to change a bit to > generate some TUF metadata itself. > > I think it would make the most sense for us to figure out how to integrate > TUF with Warehouse since that is the future of PyPI. Is now a good time for > us to discuss how to do that? What is your timeframe for Warehouse? > > Thanks, > Trishank > >
_______________________________________________ Distutils-SIG maillist - [email protected] https://mail.python.org/mailman/listinfo/distutils-sig
