TUF should be handled via a grant from Facebook this year once Ernest and I get this underway:
https://pyfound.blogspot.com/2018/12/upcoming-pypi-improvements-for-2019.html

We will take all the help we can get, but we'll have Project management and some funds!

Cooper

On Feb 12, 2019, at 9:42 AM, Wes Turner <wes.turner@gmail.com> wrote:

... The Update Framework (TUF) is in part derived from Thandy (the tor updater). There's an automotive derivative of TUF called Uptane. 
https://theupdateframework.github.io/

"Roadmap update for TUF support"
https://github.com/pypa/warehouse/issues/5247

"TUF deployment roadmap for PyPI"
https://github.com/theupdateframework/tuf/issues/816#

SHA-256 is not sufficient. GPG was removed because insufficient.
Does TUF need funding, person-hours, new code, or code-review?