Testing pip security without and with TUF
Hello everyone, Recently, we tested how pip would respond, without and with TUF, to attacks on PyPI: https://github.com/theupdateframework/pip/wiki/Test-pip-security-without-and... TUF now uses the portable PyCrypto cryptography library, though we are watching cryptography-dev with great interest. In our internal tests, pip-with-TUF works on Microsoft Windows 7-8 32/64 bit, Apple OS X (10.7-10.8), and Debian/Ubuntu GNU/Linux 32/64 bit. We also have integration tests where we show TUF protecting against other kinds of attacks: https://github.com/theupdateframework/tuf/tree/develop/tests/integration Previously, we demonstrated that we could efficiently secure PyPI with TUF metadata: https://mail.python.org/pipermail/distutils-sig/2013-August/022276.html *** We need your guidance here! *** Our next step is to integrate TUF with the PyPI server itself to see how everything would work in production. This would allow us, amongst other things, to build better package-signing tools for developers, and make continuous release of packages as smooth as possible. Before we go any further, though, we would like your thoughts on the matter. Should we modify the PyPI server ourselves? Or should we wait for Warehouse instead? We want to work together with the DistUtils SIG community on all of this, and would appreciate any feedback and thoughts you have for us. What would you like to see from us? Thanks, The TUF Team
participants (3)
-
Donald Stufft
-
Trishank Karthik Kuppusamy
-
Vladimir Diaz