On Jun 2, 2013, at 4:21 AM, Nick Coghlan <ncoghlan@gmail.com> wrote:

On Sun, Jun 2, 2013 at 5:37 PM, holger krekel <holger@merlinux.eu> wrote:
Speaking of TUF: is there some kind of PEP like doc floating already?

Just the proof-of-concept the TUF folks created about using it to
secure /simple. I'm personally sold on the technology itself as
something we should deploy in the long run, but I think it makes sense
to wait until we have the static dependency metadata publication and
various other PyPI related infrastructure issues sorted out before we
try to offer additional protection above and beyond trusting the SSL
CA system and PyPI itself.

That said, one of the reasons PEP 426 calls out the "essential
dependency resolution" fields is that those are the ones I think it
may make sense to embed in the TUF custom metadata fields.

Cheers,
Nick.

--
Nick Coghlan   |   ncoghlan@gmail.com   |   Brisbane, Australia
_______________________________________________
Distutils-SIG maillist  -  Distutils-SIG@python.org
http://mail.python.org/mailman/listinfo/distutils-sig

If we deploy some sort of end to end signing I think TUF is a good implementation of it.

I'm not sold on the possibility of reasonably doing end to end signing here though.

-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA