On 24 October 2017 at 20:34, Thomas Güttler <guettl...@thomas-guettler.de> wrote:
> I stumbled over this page: https://theupdateframework.github.io/ > For folks that haven't read them before, note that TUF is also the basis for the SSL/TLS independent package signing proposals in PEPs 458 & 480: * https://www.python.org/dev/peps/pep-0458/ (PyPI -> end user signing) * https://www.python.org/dev/peps/pep-0480/ (publisher -> end user signing) Actually pursuing that idea is contingent on our being comfortable that the related key management activities will be on a sustainable footing, though: http://www.curiousefficiency.org/posts/2016/09/python-packaging-ecosystem.html#making-pypi-security-independent-of-ssl-tls Cheers, Nick. P.S. TUF is in the news a bit this week, as both it and the related content signing project, Notary, were just accepted as community projects hosted by the Cloud Native Computing Foundation: https://thenewstack.io/cncf-brings-security-cloud-native-stack-notary-tuf-adoption/ -- Nick Coghlan | ncogh...@gmail.com | Brisbane, Australia
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
