[Catalog-sig] [DRAFT] Proposal for fixing PyPI/pip security
Justin Cappos
jcappos at poly.edu
Tue Feb 12 14:57:48 CET 2013
Yes, that is what I meant. Sorry for any confusion about this.
Thanks,
Justin
On Tue, Feb 12, 2013 at 3:40 AM, Giovanni Bajo <rasky at develer.com> wrote:
> Il giorno 11/feb/2013, alle ore 20:33, Justin Cappos <jcappos at poly.edu>
> ha scritto:
>
> Once again, apologies for being mostly out of this discussion for the next
> 10 days or so, but I did want to jump in and clarify a point.
>
> TUF can be used exactly with a one-key-per-devel model. (If fact, see
> our CCS 10 paper on this for details.)
>
> It's possible to revoke keys and have split keys, etc. but a "simple"
> developer setup is just as simple as what you propose.
>
>
> Sorry I can't find this in the CCS10 document, but maybe it's just that I
> don't understand what you mean. The document talks about 1 key per role
> (§8.2), but there are still 4 roles that need to be implemented, as far as
> I can tell. Are you suggesting that a single developer only handles the
> target role, while the others are centrally handled by PyPI?
>
> --
> Giovanni Bajo :: rasky at develer.com
> Develer S.r.l. :: http://www.develer.com
>
> My Blog: http://giovanni.bajo.it
>
>
>
>
>
>
>
> _______________________________________________
> Catalog-SIG mailing list
> Catalog-SIG at python.org
> http://mail.python.org/mailman/listinfo/catalog-sig
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130212/8289735a/attachment.html>
More information about the Catalog-SIG
mailing list