[Catalog-sig] [DRAFT] Proposal for fixing PyPI/pip security

Lennart Regebro regebro at gmail.com
Sun Feb 10 16:43:53 CET 2013


On Sun, Feb 10, 2013 at 2:22 PM, Giovanni Bajo <rasky at develer.com> wrote:
> I would like to see existing large-scale/high-profile deploys of TUF. Are there any? Otherwise the argument "TUF already exists, let's use it" is a bit weak.

Well, no I don't think it gets weaker. That it's not used by other big
deployments mean that we can't just use it and assume it's going to be
good. We still have to be highly critical of it and look closely on
every part.

But since it already exists and is written in python as far as I can
understand, it saves some work, which is good, and most importantly:
If we find it needs to be improved, then others get to use that
improvement.

Someone has to be the first user. :-)

//Lennart


More information about the Catalog-SIG mailing list