Hello, The folks who worked on Docker Content Trust also recently presented Notary at the DockerCon 2015 keynote, which you may view here: http://www.ustream.tv/recorded/64499822#to01:54:00
Thanks, Vlad -- [email protected] PGP fingerprint = ACCF 9DCA 73B9 862F 93C5 6608 63F8 90AA 1D25 3935 -- On Sun, Aug 23, 2015 at 8:19 PM, Nick Coghlan <[email protected]> wrote: > Hi folks, > > The recent Docker 1.8 release was the first one to include their new > content signing system, which is described well in this post: > https://blog.docker.com/2015/08/content-trust-docker-1-8/ > > The resign I bring that up here is because the Docker Content Trust > system is based on The Update Framework, which is the same system > we've been exploring for PyPI package signing in PEPs 458 and 480. > > The part I particularly like is the way they have handled the trust > establishment process for content signing: they use a "trust on first > use" model by default, similar to that used in SSH. This means there > is still a reliance on HTTPS and the CA system, but only for the task > of bootstrapping TUF in a way that allows new clients to obtain the > public signing certificate of the repo publisher transparently. Once > the intial trust relationship with a public repo like PyPI or a > private repo within a company or other organisation has been > established, later compromises of the CA system don't provide the > ability to forge package signatures. > > Also of potential interest is the TUF-based signing infrastructure > that Docker built, Notary: https://github.com/docker/notary > > While I don't have a strong personal preference one way or the other, > finding a way to reuse that does seem like it could be an interesting > architectural alternative to building signing capabilities directly > into Warehouse itself. > > Regards, > Nick. > > -- > Nick Coghlan | [email protected] | Brisbane, Australia > _______________________________________________ > Distutils-SIG maillist - [email protected] > https://mail.python.org/mailman/listinfo/distutils-sig >
_______________________________________________ Distutils-SIG maillist - [email protected] https://mail.python.org/mailman/listinfo/distutils-sig
