[Catalog-sig] PyPI/pip security: waiting for input
jcappos at poly.edu
Mon Mar 11 15:33:42 CET 2013
Yep, we have the doc mostly together and are finishing it up / polishing
We'll have something to you soon. We have a lightning talk set up at
PyCon and will post all then at the latest. We do want to announce /
share before then though.
On Mon, Mar 11, 2013 at 10:31 AM, Giovanni Bajo <rasky at develer.com> wrote:
> Il giorno 11/mar/2013, alle ore 15:17, Justin Cappos <jcappos at poly.edu>
> ha scritto:
> Yes, we're finishing this up now. We have a working demo with TUF
> signing PyPI metadata and pip (integrated with TUF) correctly checking
> signatures, etc.
> Trishank: when do you plan to share this? Does Kon still have some
> integration tests to write to show we meet the use cases from Giovanni's
> While the code is great, I'm mainly concerned with documenting the
> workflow and making sure it matches the proposed requirements: how to
> create a key, how to revoke it, how to use an offline list of authorized
> keys for installation of packages, etc.
> As I mentioned before, my proposal would only take me a few days to
> prototype (repeating this in case someone thinks that my proposal requires
> millions of man hours for any reason); I held it off waiting for a
> discussion with you.
> Relink to my proposal:
> Giovanni Bajo :: rasky at develer.com
> Develer S.r.l. :: http://www.develer.com
> My Blog: http://giovanni.bajo.it
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Catalog-SIG