[Catalog-sig] [Draft] Package signing and verification process
Lennart Regebro
regebro at gmail.com
Thu Feb 7 23:47:26 CET 2013
On Thu, Feb 7, 2013 at 3:06 PM, Justin Cappos <jcappos at poly.edu> wrote:
> We'd like to integrate TUF ( https://www.updateframework.com/ ) into PyPI to
> help out if it makes sense. In theory the integration should be
> straightforward. It's basically just importing a few libraries in the
> client tools and asking package publishers / PyPI to do an extra step to add
> signatures. We believe it should be incrementally deployable (i.e. work if
> not everyone is using TUF everywhere) without being a usability problem for
> anyone. We're looking into this now to see what sort of complications this
> may have. We do have some looming deadlines, but we'd like to get a demo
> together later this month.
I'm all for the idea of either using solutions that also other uses,
or if that's not feasible, making the solution we choose usable by
others. I do not have the knowledge to judge TUF specifically though.
//Lennart
More information about the Catalog-SIG
mailing list