> Warehouse is already a SPOF. > That's a hefty responsibility that contributions should support. >
Warehouse doesn't need to be a SPOF. A compromise of the Warehouse server (and all keys on it) need not allow an attacker to compromise many users. The details are in the Diplomat <https://www.usenix.org/conference/nsdi16/technical-sessions/presentation/kuppusamy> paper, but the gist is that you can have some rarely used, offline keys that are stored by folks like Donald, etc. and a quorum of those trusted users would need to be malicious to cause substantial harm to users. However, you can have whatever trust / key distribution / storage model makes sense. TUF doesn't force you to use some pre-ordained model. It has flexibility to support a variety of workflows, including many with good security properties. Would [offline] package mirrors and the CDN still work for/with TUF keys? > Yes, this works just fine. CDNs / mirrors do not change in any way.
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig