On 08/01/2013 05:02 PM, holger krekel wrote:
thanks for the links. They contain code instructions but i am not sure i get the overall picture yet. Do you have a whitepaper or overview describing the approach wrt to PyPI?
We do, but it is not up-to-date with our latest thoughts. We will rectify this soon enough: https://docs.google.com/document/d/1sHMhgrGXNCvBZdmjVJzuoN5uMaUAUDWBmn3jo7vx...
If i understand the code correctly, you are implementing key signing, verification and revocation through calling openssl library functions. Have you considered just invoking or interfacing with "gpg"?
Yes, that is an option we could decide to implement, along with other cryptography libraries. I think we chose to start with interfacing with OpenSSL because it is generic, time-tested to be secure and available on many platforms. TUF does not need to exclusively depend on either OpenSSL, GPG or anything else: we can extend it to use what is available.
On a minor note, for creating a pypi mirror it's better to use bandersnatch instead of pep381 (i am refering to this here: https://github.com/theupdateframework/pip/wiki/PyPI-over-TUF#mirror-pypi )
Thanks for the tip. Indeed, we do use bandersnatch [https://github.com/theupdateframework/pypi.updateframework.com/blob/master/s...]. That wiki entry points to an old set of instructions that we will remove soon.
Lastly, maybe the advertisement that "TUF is like the 'S' in HTTPS" is not really a good advertisement given the several currently discussed problems with HTTPS, the most recent one being the BREACH attack: http://arstechnica.com/security/2013/08/gone-in-30-seconds-new-attack-plucks...
I see what you are saying, but I do not think that it follows that TUF works like SSL :) Perhaps we can think of a better metaphor, but the idea we wanted to convey is that TUF is like a plug-in you simply drop into your software update system, and voilĂ , you get security for relatively little work. Let us know if you have more questions. In the meantime, we are busy designing our key management scheme for PyPI+TUF (which I think would highly interest you), so please bear with us while we hammer that out over this week.