[Catalog-sig] PyPI/pip security: waiting for input

Giovanni Bajo rasky at develer.com
Mon Mar 11 15:31:00 CET 2013

Il giorno 11/mar/2013, alle ore 15:17, Justin Cappos <jcappos at poly.edu> ha scritto:

> Yes, we're finishing this up now.   We have a working demo with TUF signing PyPI metadata and pip (integrated with TUF) correctly checking signatures, etc.   
> Trishank: when do you plan to share this?   Does Kon still have some integration tests to write to show we meet the use cases from Giovanni's document?

While the code is great, I'm mainly concerned with documenting the workflow and making sure it matches the proposed requirements: how to create a key, how to revoke it, how to use an offline list of authorized keys for installation of packages, etc.

As I mentioned before, my proposal would only take me a few days to prototype (repeating this in case someone thinks that my proposal requires millions of man hours for any reason); I held it off waiting for a discussion with you.

Relink to my proposal:
Giovanni Bajo   ::  rasky at develer.com
Develer S.r.l.  ::  http://www.develer.com

My Blog: http://giovanni.bajo.it

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130311/49376a1c/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4346 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130311/49376a1c/attachment.bin>

More information about the Catalog-SIG mailing list