On 24 October 2017 at 20:34, Thomas Güttler <guettliml@thomas-guettler.de> wrote:

I stumbled over this page: https://theupdateframework.github.io/

For folks that haven't read them before, note that TUF is also the basis for the SSL/TLS independent package signing proposals in PEPs 458 & 480: * https://www.python.org/dev/peps/pep-0458/ (PyPI -> end user signing) * https://www.python.org/dev/peps/pep-0480/ (publisher -> end user signing) Actually pursuing that idea is contingent on our being comfortable that the related key management activities will be on a sustainable footing, though: http://www.curiousefficiency.org/posts/2016/09/python-packaging-ecosystem.ht... Cheers, Nick. P.S. TUF is in the news a bit this week, as both it and the related content signing project, Notary, were just accepted as community projects hosted by the Cloud Native Computing Foundation: https://thenewstack.io/cncf-brings-security-cloud-native-stack-notary-tuf-ad... -- Nick Coghlan | ncoghlan@gmail.com | Brisbane, Australia