<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On 24 October 2017 at 20:34, Thomas Güttler <span dir="ltr"><<a href="mailto:guettliml@thomas-guettler.de" target="_blank">guettliml@thomas-guettler.de</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
  

    
  
  <div bgcolor="#FFFFFF">
    <p>I stumbled over this page: <a class="gmail-m_-4368984149604417346moz-txt-link-freetext" href="https://theupdateframework.github.io/" target="_blank">https://theupdateframework.<wbr>github.io/</a></p></div></blockquote></div><div class="gmail_quote">For folks that haven't read them before, note that TUF is also the basis for the SSL/TLS independent package signing proposals in PEPs 458 & 480:</div><div class="gmail_quote"><br></div><div class="gmail_quote">* <a href="https://www.python.org/dev/peps/pep-0458/">https://www.python.org/dev/peps/pep-0458/</a> (PyPI -> end user signing)</div><div class="gmail_quote">* <a href="https://www.python.org/dev/peps/pep-0480/">https://www.python.org/dev/peps/pep-0480/</a> (publisher -> end user signing)</div><div class="gmail_quote"><br></div><div class="gmail_quote">Actually pursuing that idea is contingent on our being comfortable that the related key management activities will be on a sustainable footing, though: <a href="http://www.curiousefficiency.org/posts/2016/09/python-packaging-ecosystem.html#making-pypi-security-independent-of-ssl-tls">http://www.curiousefficiency.org/posts/2016/09/python-packaging-ecosystem.html#making-pypi-security-independent-of-ssl-tls</a><br></div><div class="gmail_quote"><br></div><div class="gmail_quote">Cheers,</div><div class="gmail_quote">Nick.</div><div class="gmail_quote"><br></div><div class="gmail_quote">P.S. TUF is in the news a bit this week, as both it and the related content signing project, Notary, were just accepted as community projects hosted by the Cloud Native Computing Foundation: <a href="https://thenewstack.io/cncf-brings-security-cloud-native-stack-notary-tuf-adoption/">https://thenewstack.io/cncf-brings-security-cloud-native-stack-notary-tuf-adoption/</a><br></div><div class="gmail_quote"></div><div class="gmail_quote"><br></div>-- <br><div class="gmail_signature">Nick Coghlan   |   <a href="mailto:ncoghlan@gmail.com" target="_blank">ncoghlan@gmail.com</a>   |   Brisbane, Australia</div>
</div></div>