Re: [Catalog-sig] RubyGems Threat Model and Requirements

Absolutely. Nick, thanks for helping to clarify that tasks #6-7 are, indeed, handled by TUF. Giovanni, we would certainly like to comment on your design document as soon as we find the time. In fact, we are going to have a TUF hackathon here in a few hours, and we hope to make more progress on

Re: [Catalog-sig] RubyGems Threat Model and Requirements

Il giorno 14/feb/2013, alle ore 12:00, Ronald Oussoren ha scritto: > > On 14 Feb, 2013, at 11:25, Nick Coghlan wrote: > >> On Thu, Feb 14, 2013 at 6:46 PM, Ronald Oussoren >> wrote: >>> >>> On 13 Feb, 2013, at 15:21, Nick Coghlan wrote: For now, though, we would probably

Re: [Catalog-sig] RubyGems Threat Model and Requirements

On 14 Feb, 2013, at 11:25, Nick Coghlan wrote: > On Thu, Feb 14, 2013 at 6:46 PM, Ronald Oussoren > wrote: >> >> On 13 Feb, 2013, at 15:21, Nick Coghlan wrote: >>> >>> >>> For now, though, we would probably start off with >>> release/target/timestamp roles sharing a key, all threshold valu

Re: [Catalog-sig] RubyGems Threat Model and Requirements

On Thu, Feb 14, 2013 at 6:46 PM, Ronald Oussoren wrote: > > On 13 Feb, 2013, at 15:21, Nick Coghlan wrote: >> >> >> For now, though, we would probably start off with >> release/target/timestamp roles sharing a key, all threshold values set >> to 1, and just doing simple project based target deleg

Re: [Catalog-sig] RubyGems Threat Model and Requirements

On 13 Feb, 2013, at 15:21, Nick Coghlan wrote: > > > For now, though, we would probably start off with > release/target/timestamp roles sharing a key, all threshold values set > to 1, and just doing simple project based target delegation to user > keys. Given the existing GPG infrastructure, I'

Re: [Catalog-sig] RubyGems Threat Model and Requirements

On 14 Feb 2013 03:59, "Donald Stufft" wrote: > > On Wednesday, February 13, 2013 at 5:29 AM, Robert Collins wrote: >> >> On 13 February 2013 15:12, Giovanni Bajo wrote: >> >>> Yes, that's correct. GPG chain-of-trust concept is not used in my proposal, >>> because I don't think it would be a good

Re: [Catalog-sig] RubyGems Threat Model and Requirements

On Wednesday, February 13, 2013 at 5:29 AM, Robert Collins wrote: > On 13 February 2013 15:12, Giovanni Bajo (mailto:ra...@develer.com)> wrote: > > > Yes, that's correct. GPG chain-of-trust concept is not used in my proposal, > > because I don't think it would be a good fit for this problem given

Re: [Catalog-sig] RubyGems Threat Model and Requirements

On Wed, Feb 13, 2013 at 7:58 PM, Giovanni Bajo wrote: > Il giorno 13/feb/2013, alle ore 04:31, Nick Coghlan ha > scritto: >> TUF's target delegation is thus in direct competition to the "trusted >> keys" file in your design. TUF specifically aims to take care of the >> "online key needed" proble

Re: [Catalog-sig] RubyGems Threat Model and Requirements

Il giorno 13/feb/2013, alle ore 11:29, Robert Collins ha scritto: > On 13 February 2013 15:12, Giovanni Bajo wrote: > >> Yes, that's correct. GPG chain-of-trust concept is not used in my proposal, >> because I don't think it would be a good fit for this problem given its >> requirements. Speci

Re: [Catalog-sig] RubyGems Threat Model and Requirements

On 13 February 2013 15:12, Giovanni Bajo wrote: > Yes, that's correct. GPG chain-of-trust concept is not used in my proposal, > because I don't think it would be a good fit for this problem given its > requirements. Specifically, I believe pip users should not be bothered with > useless click-thr

Re: [Catalog-sig] RubyGems Threat Model and Requirements

Il giorno 13/feb/2013, alle ore 04:31, Nick Coghlan ha scritto: > On Wed, Feb 13, 2013 at 2:27 AM, Giovanni Bajo wrote: >> Il giorno 12/feb/2013, alle ore 14:12, Nick Coghlan ha >> scritto: >> >>> On Tue, Feb 12, 2013 at 10:09 PM, Giovanni Bajo wrote: Hello Nick, I've added

Re: [Catalog-sig] RubyGems Threat Model and Requirements

On Wed, Feb 13, 2013 at 2:27 AM, Giovanni Bajo wrote: > Il giorno 12/feb/2013, alle ore 14:12, Nick Coghlan ha > scritto: > >> On Tue, Feb 12, 2013 at 10:09 PM, Giovanni Bajo wrote: >>> Hello Nick, >>> >>> I've added the initial Requirements and Thread Model section to my >>> document. I've al

Re: [Catalog-sig] RubyGems Threat Model and Requirements

Il giorno 12/feb/2013, alle ore 21:07, Daniel Holth ha scritto: > On Tue, Feb 12, 2013 at 2:20 PM, holger krekel wrote: > On Tue, Feb 12, 2013 at 12:44 -0500, Daniel Holth wrote: > > On Tue, Feb 12, 2013 at 11:27 AM, Giovanni Bajo wrote: > > > > > > > > Your Task #6/#7 (related to PyPI generat

Re: [Catalog-sig] RubyGems Threat Model and Requirements

On Tuesday, February 12, 2013 at 3:34 PM, Konstantin Andrianov wrote: > > On Feb 12, 2013, at 2:20 PM, holger krekel wrote: > > > On Tue, Feb 12, 2013 at 12:44 -0500, Daniel Holth wrote: > > > On Tue, Feb 12, 2013 at 11:27 AM, Giovanni Bajo > > (mailto:ra...@develer.com)> wrote: > > > > > > > >

Re: [Catalog-sig] RubyGems Threat Model and Requirements

On Feb 12, 2013, at 2:20 PM, holger krekel wrote: > On Tue, Feb 12, 2013 at 12:44 -0500, Daniel Holth wrote: >> On Tue, Feb 12, 2013 at 11:27 AM, Giovanni Bajo wrote: Your Task #6/#7 (related to PyPI generating the trust file, and pip verifying it) are the ones where I think the

Re: [Catalog-sig] RubyGems Threat Model and Requirements

On Tue, Feb 12, 2013 at 2:20 PM, holger krekel wrote: > On Tue, Feb 12, 2013 at 12:44 -0500, Daniel Holth wrote: > > On Tue, Feb 12, 2013 at 11:27 AM, Giovanni Bajo > wrote: > > > > > > > > Your Task #6/#7 (related to PyPI generating the trust file, and pip > > > > verifying it) are the ones whe

Re: [Catalog-sig] RubyGems Threat Model and Requirements

On 02/12/2013 02:07 PM, Donald Stufft wrote: > Additionally their mailing for discussing this > is rubygems-develop...@rubyforge.org > for anyone who want to get > some cross language collab going on :) Here is another way to subscribe to that mailing lis

Re: [Catalog-sig] RubyGems Threat Model and Requirements

On Tue, Feb 12, 2013 at 12:44 -0500, Daniel Holth wrote: > On Tue, Feb 12, 2013 at 11:27 AM, Giovanni Bajo wrote: > > > > > > Your Task #6/#7 (related to PyPI generating the trust file, and pip > > > verifying it) are the ones where I think the input of the TUF team > > > will be most valuable, as

Re: [Catalog-sig] RubyGems Threat Model and Requirements

On Tuesday, February 12, 2013 at 1:50 PM, Daniel Holth wrote: > On Tue, Feb 12, 2013 at 1:39 PM, Jesse Noller (mailto:jnol...@gmail.com)> wrote: > > > > > > On Tuesday, February 12, 2013 at 1:36 PM, Donald Stufft wrote: > > > > > On Tuesday, February 12, 2013 at 1:22 PM, Jesse Noller wrote: > >

Re: [Catalog-sig] RubyGems Threat Model and Requirements

On Tue, Feb 12, 2013 at 1:39 PM, Jesse Noller wrote: > > > On Tuesday, February 12, 2013 at 1:36 PM, Donald Stufft wrote: > > > On Tuesday, February 12, 2013 at 1:22 PM, Jesse Noller wrote: > > > > > > > > > On Tuesday, February 12, 2013 at 12:44 PM, Daniel Holth wrote: > > > > > > > On Tue, Feb

Re: [Catalog-sig] RubyGems Threat Model and Requirements

On Tuesday, February 12, 2013 at 1:22 PM, Jesse Noller wrote: > > > On Tuesday, February 12, 2013 at 12:44 PM, Daniel Holth wrote: > > > On Tue, Feb 12, 2013 at 11:27 AM, Giovanni Bajo > (mailto:ra...@develer.com)> wrote: > > > Il giorno 12/feb/2013, alle ore 14:12, Nick Coghlan > > (mailto:nc

Re: [Catalog-sig] RubyGems Threat Model and Requirements

On Tuesday, February 12, 2013 at 1:36 PM, Donald Stufft wrote: > On Tuesday, February 12, 2013 at 1:22 PM, Jesse Noller wrote: > > > > > > On Tuesday, February 12, 2013 at 12:44 PM, Daniel Holth wrote: > > > > > On Tue, Feb 12, 2013 at 11:27 AM, Giovanni Bajo > > (mailto:ra...@develer.com) (

Re: [Catalog-sig] RubyGems Threat Model and Requirements

On Tuesday, February 12, 2013 at 12:44 PM, Daniel Holth wrote: > On Tue, Feb 12, 2013 at 11:27 AM, Giovanni Bajo (mailto:ra...@develer.com)> wrote: > > Il giorno 12/feb/2013, alle ore 14:12, Nick Coghlan > (mailto:ncogh...@gmail.com)> ha scritto: > > > > > On Tue, Feb 12, 2013 at 10:09 PM, Gi

Re: [Catalog-sig] RubyGems Threat Model and Requirements

Il giorno 12/feb/2013, alle ore 18:44, Daniel Holth ha scritto: > On Tue, Feb 12, 2013 at 11:27 AM, Giovanni Bajo wrote: > Il giorno 12/feb/2013, alle ore 14:12, Nick Coghlan ha > scritto: > > > On Tue, Feb 12, 2013 at 10:09 PM, Giovanni Bajo wrote: > >> Hello Nick, > >> > >> I've added the

Re: [Catalog-sig] RubyGems Threat Model and Requirements

On Tue, Feb 12, 2013 at 11:27 AM, Giovanni Bajo wrote: > Il giorno 12/feb/2013, alle ore 14:12, Nick Coghlan > ha scritto: > > > On Tue, Feb 12, 2013 at 10:09 PM, Giovanni Bajo > wrote: > >> Hello Nick, > >> > >> I've added the initial Requirements and Thread Model section to my > document. I'v

Re: [Catalog-sig] RubyGems Threat Model and Requirements

Il giorno 12/feb/2013, alle ore 14:12, Nick Coghlan ha scritto: > On Tue, Feb 12, 2013 at 10:09 PM, Giovanni Bajo wrote: >> Hello Nick, >> >> I've added the initial Requirements and Thread Model section to my document. >> I've also added a section "Future scenarios" at the end of the document

Re: [Catalog-sig] RubyGems Threat Model and Requirements

On Tue, Feb 12, 2013 at 10:09 PM, Giovanni Bajo wrote: > Hello Nick, > > I've added the initial Requirements and Thread Model section to my document. > I've also added a section "Future scenarios" at the end of the document. > > I hope they complete what you were feeling was missing from the prop

[Catalog-sig] RubyGems Threat Model and Requirements

[posted on behalf of Donald Stufft] The folks on the ruby side of things who are dealing with a lot of the same problems as Python/PyPI is have put together a document containing a threat model and requirements of the system. While the terminology is obviously ruby specific the concepts all apply

Re: [Catalog-sig] RubyGems Threat Model and Requirements

Il giorno 12/feb/2013, alle ore 09:46, Giovanni Bajo ha scritto: > Il giorno 12/feb/2013, alle ore 08:57, Nick Coghlan ha > scritto: > >> On Tue, Feb 12, 2013 at 10:39 AM, Donald von Stufft >> wrote: >>> The folks on the ruby side of things who are dealing with a lot of >>> the same problems

Re: [Catalog-sig] RubyGems Threat Model and Requirements

Il giorno 12/feb/2013, alle ore 08:57, Nick Coghlan ha scritto: > On Tue, Feb 12, 2013 at 10:39 AM, Donald von Stufft > wrote: >> The folks on the ruby side of things who are dealing with a lot of >> the same problems as Python/PyPI is have put together a document >> containing a threat model a

Re: [Catalog-sig] RubyGems Threat Model and Requirements

On Tue, Feb 12, 2013 at 10:39 AM, Donald von Stufft wrote: > The folks on the ruby side of things who are dealing with a lot of > the same problems as Python/PyPI is have put together a document > containing a threat model and requirements of the system. While the > terminology is obviously ruby s

Re: [Catalog-sig] RubyGems Threat Model and Requirements

On Monday, February 11, 2013 at 8:50 PM, Richard Jones wrote: > [posted on behalf of Donald Stufft] > > The folks on the ruby side of things who are dealing with a lot of > the same problems as Python/PyPI is have put together a document > containing a threat model and requirements of the system.