Hi Thomas,
It's great you're so enthusiastic about python packaging and distribution,
but it might be good to keep in mind that there are a lot of people reading
these lists, and answering basic questions can take time away from making
important improvements?
In this case, a quick google of "the update framework" or skimming of the
referenced PEP 458 would have revealed that TUF is totally orthogonal to
the kinds of updates that you're worried about -- it's about building a
cryptographic framework to let you reliably identify what the latest
version of some software is, even if e.g. someone has broken into pypi and
tried to add backdoors to the software there, which is important no matter
what strategy you then use to deploy those updates. In fact possibly the
largest deployment of TUF is the version built into docker's latest
release, to help you securely pick a good base image.
-n
On Nov 4, 2015 12:06 PM, "Thomas Güttler"
I read the RoadMap (Thank you Marcus Smith) and came across this:
An effort to integrate PyPI with the “The Update Framework” (TUF). This is specified in PEP458
I see a trend to immutable systems everywhere. Updates are a pain. Building new systems is easier. With current hardware and good software it is easier to build new systems instead of updating existing systems.
It is like from pets to cattle:
- pets: you give them names and care for them (do updates) - cattle: you give them numbers and if they get ill you get rid of them.
Maybe I am missing something. But why is there an effort to create "The Update Framework”, and why integrate it with pypi?
Regards, Thomas Güttler
-- http://www.thomas-guettler.de/ _______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig