On Sat, Sep 21, 2013 at 6:17 PM, Donald Stufft <[email protected]> wrote:
> > On Sep 21, 2013, at 6:12 PM, Trishank Karthik Kuppusamy < > [email protected]> wrote: > > > Hello Donald, > > > > On 09/21/2013 05:54 PM, Donald Stufft wrote: > >> > >> Is it possible to do this in a pure python library? I know there are > pure > >> python libraries for ed25119 that are written by the author so they > >> should be good to use. > >> > > > > It should be possible to do in pure Python all the cryptography that TUF > needs. The performance may not be so good with sufficiently large RSA keys, > but I think that is a bottleneck only when creating those keys and signing > metadata with those keys. Verifying signatures created by those keys should > be cheap enough, and that is how most people would use TUF (for reading, > not writing). Vlad, what do you think? > > Ok good, as long as what someone installing a package needs done can be > done in pure python that's fine. Pip can't have dependencies in the > traditional sense so everything needs to be embeddable and pure python. An > optional C module for speed ups is fine. > What about a precompiled Python extension? Bundling wheels? > Packaging tools on the other hand IMO can require compiled code. > > > > >>> > >>> Before we go any further, though, we would like your thoughts on the > >>> matter. Should we modify the PyPI server ourselves? Or should we > >>> wait for Warehouse instead? We want to work together with the DistUtils > >>> SIG community on all of this, and would appreciate any feedback and > >>> thoughts you have for us. What would you like to see from us? > >> > >> What does an integration look like? What time frame are you looking at > >> completing this? Warehouse is where the future of PyPI is and I'm loathe > >> to add much else to the old code base, but Warehouse is very incomplete > >> at the moment. > >> > > > > By an integration, we mean this scenario: developers will be able to > register their package-signing keys with PyPI (by uploading their public > keys), and sign for package metadata themselves with their private keys. > Among other things, the PyPI server will also have to change a bit to > generate some TUF metadata itself. > > > > I think it would make the most sense for us to figure out how to > integrate TUF with Warehouse since that is the future of PyPI. Is now a > good time for us to discuss how to do that? What is your timeframe for > Warehouse? > > Right now i'm porting over database tables to be "owned" by Warehouse > (Warehouse and legacy PyPI run in tandem). After that i'll be working on > porting the existing API. I'm hoping to have something that people can > install from to test in a month or two. > > ----------------- > Donald Stufft > PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 > DCFA > >
_______________________________________________ Distutils-SIG maillist - [email protected] https://mail.python.org/mailman/listinfo/distutils-sig
