[Catalog-sig] RubyGems Threat Model and Requirements
Nick Coghlan
ncoghlan at gmail.com
Tue Feb 12 14:12:38 CET 2013
On Tue, Feb 12, 2013 at 10:09 PM, Giovanni Bajo <rasky at develer.com> wrote:
> Hello Nick,
>
> I've added the initial Requirements and Thread Model section to my document. I've also added a section "Future scenarios" at the end of the document.
>
> I hope they complete what you were feeling was missing from the proposal.
Thanks, that helps me a lot in understanding the overall goals of your
approach - in particular, it more clearly puts several things out of
scope :)
Your Task #6/#7 (related to PyPI generating the trust file, and pip
verifying it) are the ones where I think the input of the TUF team
will be most valuable, as well as potentially the folks responding to
the rubygems.org attack.
The rubygems.org will also be looking at server side incident response
- I suspect a lot of that side of things will end up running through
the PSF infrastructure team moreso than catalog-sig (although it may
end up here if it involves PyPI code changes.
Cheers,
Nick.
--
Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia
More information about the Catalog-SIG
mailing list