[Catalog-sig] [DRAFT] Proposal for fixing PyPI/pip security
Giovanni Bajo
rasky at develer.com
Tue Feb 12 09:40:20 CET 2013
Il giorno 11/feb/2013, alle ore 20:33, Justin Cappos <jcappos at poly.edu> ha scritto:
> Once again, apologies for being mostly out of this discussion for the next 10 days or so, but I did want to jump in and clarify a point.
>
> TUF can be used exactly with a one-key-per-devel model. (If fact, see our CCS 10 paper on this for details.)
> It's possible to revoke keys and have split keys, etc. but a "simple" developer setup is just as simple as what you propose.
Sorry I can't find this in the CCS10 document, but maybe it's just that I don't understand what you mean. The document talks about 1 key per role (§8.2), but there are still 4 roles that need to be implemented, as far as I can tell. Are you suggesting that a single developer only handles the target role, while the others are centrally handled by PyPI?
--
Giovanni Bajo :: rasky at develer.com
Develer S.r.l. :: http://www.develer.com
My Blog: http://giovanni.bajo.it
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130212/e33df587/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4346 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130212/e33df587/attachment-0001.bin>
More information about the Catalog-SIG
mailing list